Add telemetry for auto-add package owner feature (#6374)

Author: xavierdecoster

src/NuGetGallery/Security/MicrosoftTeamSubscription.cs

@@ -13,6 +13,23 @@ public class MicrosoftTeamSubscription : IUserSecurityPolicySubscription
 
         internal const string MicrosoftUsername = "Microsoft";
         internal const string Name = "MicrosoftTeamSubscription";
+        internal static readonly string[] AllowedCopyrightNotices = new string[]
+        {
+            "(c) Microsoft Corporation. All rights reserved.",
+            "© Microsoft Corporation. All rights reserved.",
+            "© Microsoft Corporation. All rights reserved.",
+            "© Microsoft Corporation. Tüm hakları saklıdır.",
+            "© Microsoft Corporation. Todos os direitos reservados.",
+            "© Microsoft Corporation. Alle Rechte vorbehalten.",
+            "© Microsoft Corporation. 保留所有权利.",
+            "© Microsoft Corporation. Všechna práva vyhrazena.",
+            "© Microsoft Corporation. Reservados todos los derechos.",
+            "© Microsoft Corporation. Wszelkie prawa zastrzeżone.",
+            "© Microsoft Corporation. Tous droits réservés.",
+            "© Microsoft Corporation. 著作權所有，並保留一切權利。",
+            "© Microsoft Corporation. Tutti i diritti sono riservati.",
+            "© Корпорация Майкрософт (Microsoft Corporation). Все права защищены."
+        };
 
         public string SubscriptionName => Name;
 
@@ -40,24 +57,9 @@ private static List<UserSecurityPolicy> InitializePoliciesList()
             return new List<UserSecurityPolicy>()
             {
                 RequirePackageMetadataCompliancePolicy.CreatePolicy(
-                    Name, 
+                    Name,
                     MicrosoftUsername,
-                    allowedCopyrightNotices: new string[] 
-                    {
-                        "(c) Microsoft Corporation. All rights reserved.",
-                        "© Microsoft Corporation. All rights reserved.",
-                        "© Microsoft Corporation. Tüm hakları saklıdır.",
-                        "© Microsoft Corporation. Todos os direitos reservados.",
-                        "© Microsoft Corporation. Alle Rechte vorbehalten.",
-                        "© Microsoft Corporation. 保留所有权利.",
-                        "© Microsoft Corporation. Všechna práva vyhrazena.",
-                        "© Microsoft Corporation. Reservados todos los derechos.",
-                        "© Microsoft Corporation. Wszelkie prawa zastrzeżone.",
-                        "© Microsoft Corporation. Tous droits réservés.",
-                        "© Microsoft Corporation. 著作權所有，並保留一切權利。",
-                        "© Microsoft Corporation. Tutti i diritti sono riservati.",
-                        "© Корпорация Майкрософт (Microsoft Corporation). Все права защищены."
-                    },
+                    allowedCopyrightNotices: AllowedCopyrightNotices,
                     isLicenseUrlRequired: true,
                     isProjectUrlRequired: true,
                     errorMessageFormat: Strings.SecurityPolicy_RequireMicrosoftPackageMetadataComplianceForPush)

src/NuGetGallery/Security/PackageSecurityPolicyEvaluationContext.cs

@@ -12,19 +12,22 @@ public class PackageSecurityPolicyEvaluationContext : UserSecurityPolicyEvaluati
         public PackageSecurityPolicyEvaluationContext(
             IUserService userService,
             IPackageOwnershipManagementService packageOwnershipManagementService,
+            ITelemetryService telemetryService,
             IEnumerable<UserSecurityPolicy> policies,
             Package package,
             HttpContextBase httpContext)
             : base(policies, httpContext)
         {
             Package = package ?? throw new ArgumentNullException(nameof(package));
             UserService = userService ?? throw new ArgumentNullException(nameof(userService));
+            TelemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
             PackageOwnershipManagementService = packageOwnershipManagementService ?? throw new ArgumentNullException(nameof(packageOwnershipManagementService));
         }
 
         public PackageSecurityPolicyEvaluationContext(
             IUserService userService,
             IPackageOwnershipManagementService packageOwnershipManagementService,
+            ITelemetryService telemetryService,
             IEnumerable<UserSecurityPolicy> policies,
             Package package,
             User sourceAccount,
@@ -34,6 +37,7 @@ public PackageSecurityPolicyEvaluationContext(
         {
             Package = package ?? throw new ArgumentNullException(nameof(package));
             UserService = userService ?? throw new ArgumentNullException(nameof(userService));
+            TelemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
             PackageOwnershipManagementService = packageOwnershipManagementService ?? throw new ArgumentNullException(nameof(packageOwnershipManagementService));
         }
 
@@ -44,6 +48,8 @@ public PackageSecurityPolicyEvaluationContext(
 
         public IUserService UserService { get; }
 
+        public ITelemetryService TelemetryService { get; }
+
         public IPackageOwnershipManagementService PackageOwnershipManagementService { get; }
     }
 }

src/NuGetGallery/Security/RequirePackageMetadataCompliancePolicy.cs

@@ -49,6 +49,11 @@ public override async Task<SecurityPolicyResult> EvaluateAsync(PackageSecurityPo
             // Evaluate package metadata validations
             if (!IsPackageMetadataCompliant(context.Package, state, out var complianceFailures))
             {
+                context.TelemetryService.TrackPackageMetadataComplianceError(
+                    context.Package.Id,
+                    context.Package.NormalizedVersion,
+                    complianceFailures);
+
                 // Package policy not met.
                 return SecurityPolicyResult.CreateErrorResult(
                     string.Format(
@@ -63,12 +68,21 @@ public override async Task<SecurityPolicyResult> EvaluateAsync(PackageSecurityPo
                 // This will also mark the package as verified if the prefix has been reserved by the co-owner.
                 // The entities context is committed later as a single atomic transaction (see PackageUploadService).
                 await context.PackageOwnershipManagementService.AddPackageOwnerAsync(context.Package.PackageRegistration, requiredCoOwner, commitChanges: false);
+
+                context.TelemetryService.TrackPackageOwnershipAutomaticallyAdded(
+                    context.Package.Id,
+                    context.Package.NormalizedVersion);
             }
 
             // If the PackageRegistration is not marked as verified,
             // the account pushing the package has not registered the prefix yet.
             if (!context.Package.PackageRegistration.IsVerified)
             {
+                context.TelemetryService.TrackPackageMetadataComplianceWarning(
+                    context.Package.Id,
+                    context.Package.NormalizedVersion,
+                    complianceWarnings: new[] { Strings.SecurityPolicy_RequirePackagePrefixReserved });
+
                 return SecurityPolicyResult.CreateWarningResult(Strings.SecurityPolicy_RequirePackagePrefixReserved);
             }
 
@@ -77,8 +91,8 @@ public override async Task<SecurityPolicyResult> EvaluateAsync(PackageSecurityPo
         }
 
         public static UserSecurityPolicy CreatePolicy(
-            string subscription, 
-            string requiredCoOwnerUsername, 
+            string subscription,
+            string requiredCoOwnerUsername,
             string[] allowedCopyrightNotices,
             bool isLicenseUrlRequired,
             bool isProjectUrlRequired,
@@ -153,7 +167,7 @@ public class State
 
             [JsonProperty("licUrlReq")]
             public bool IsLicenseUrlRequired { get; set; }
-            
+
             [JsonProperty("projUrlReq")]
             public bool IsProjectUrlRequired { get; set; }
 

src/NuGetGallery/Security/SecurityPolicyService.cs

@@ -32,6 +32,7 @@ private static readonly RequireOrganizationTenantPolicy _organizationTenantPolic
 
         private readonly Lazy<IUserService> _userService;
         private readonly Lazy<IPackageOwnershipManagementService> _packageOwnershipManagementService;
+        private readonly ITelemetryService _telemetryService;
 
         protected IEntitiesContext EntitiesContext { get; set; }
 
@@ -56,6 +57,7 @@ public SecurityPolicyService(
             IAppConfiguration configuration,
             Lazy<IUserService> userService,
             Lazy<IPackageOwnershipManagementService> packageOwnershipManagementService,
+            ITelemetryService telemetryService,
             MicrosoftTeamSubscription microsoftTeamSubscription = null)
         {
             EntitiesContext = entitiesContext ?? throw new ArgumentNullException(nameof(entitiesContext));
@@ -72,6 +74,7 @@ public SecurityPolicyService(
             MicrosoftTeamSubscription = microsoftTeamSubscription;
             _packageOwnershipManagementService = packageOwnershipManagementService ?? throw new ArgumentNullException(nameof(packageOwnershipManagementService));
             _userService = userService ?? throw new ArgumentNullException(nameof(userService));
+            _telemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
         }
 
         /// <summary>
@@ -204,6 +207,7 @@ private async Task<SecurityPolicyResult> EvaluatePackagePoliciesInternalAsync(
                     var context = new PackageSecurityPolicyEvaluationContext(
                         _userService.Value,
                         _packageOwnershipManagementService.Value,
+                        _telemetryService,
                         foundPolicies,
                         package,
                         sourceAccount,

src/NuGetGallery/Services/ITelemetryService.cs

@@ -51,6 +51,10 @@ public interface ITelemetryService
         /// </summary>
         void TrackUserPackageDeleteChecked(UserPackageDeleteEvent details, UserPackageDeleteOutcome outcome);
 
+        void TrackPackageMetadataComplianceError(string packageId, string packageVersion, IEnumerable<string> complianceFailures);
+
+        void TrackPackageMetadataComplianceWarning(string packageId, string packageVersion, IEnumerable<string> complianceWarnings);
+
         /// <summary>
         /// A telemetry event emitted when a user package delete is executed.
         /// </summary>
@@ -64,6 +68,13 @@ public interface ITelemetryService
         /// or empty.</exception>
         void TrackCertificateAdded(string thumbprint);
 
+        /// <summary>
+        /// A telemetry event emitted when a package owner was automatically added to a package registration.
+        /// </summary>
+        /// <param name="packageId">The package registration id.</param>
+        /// <param name="packageVersion">The normalized package version.</param>
+        void TrackPackageOwnershipAutomaticallyAdded(string packageId, string packageVersion);
+
         /// <summary>
         /// A telemetry event emitted when a certificate is activated for an account.
         /// </summary>

src/NuGetGallery/Services/TelemetryService.cs

@@ -6,6 +6,7 @@
 using System.Linq;
 using System.Security.Principal;
 using System.Web;
+using Newtonsoft.Json;
 using NuGet.Versioning;
 using NuGetGallery.Authentication;
 using NuGetGallery.Diagnostics;
@@ -51,11 +52,20 @@ internal class Events
             public const string SymbolPackagePush = "SymbolPackagePush";
             public const string SymbolPackagePushFailure = "SymbolPackagePushFailure";
             public const string SymbolPackageGalleryValidation = "SymbolPackageGalleryValidation";
+            public const string PackageMetadataComplianceError = "PackageMetadataComplianceError";
+            public const string PackageMetadataComplianceWarning = "PackageMetadataComplianceWarning";
+            public const string PackageOwnershipAutomaticallyAdded = "PackageOwnershipAutomaticallyAdded";
         }
 
         private IDiagnosticsSource _diagnosticsSource;
         private ITelemetryClient _telemetryClient;
 
+        private readonly JsonSerializerSettings _defaultJsonSerializerSettings = new JsonSerializerSettings
+        {
+            ReferenceLoopHandling = ReferenceLoopHandling.Ignore,
+            Formatting = Formatting.None
+        };
+
         // ODataQueryFilter properties
         public const string CallContext = "CallContext";
         public const string IsEnabled = "IsEnabled";
@@ -116,6 +126,10 @@ internal class Events
         public const string CreatedDateForAccountToBeDeleted = "CreatedDateForAccountToBeDeleted";
         public const string AccountDeleteSucceeded = "AccountDeleteSucceeded";
 
+        // Package metadata compliance properties
+        public const string ComplianceFailures = "ComplianceFailures";
+        public const string ComplianceWarnings = "ComplianceWarnings";
+
         public const string ValueUnknown = "Unknown";
 
         public TelemetryService(IDiagnosticsService diagnosticsService, ITelemetryClient telemetryClient = null)
@@ -313,6 +327,36 @@ public void TrackPackageRevalidate(Package package)
             TrackMetricForPackage(Events.PackageRevalidate, package);
         }
 
+        public void TrackPackageMetadataComplianceError(string packageId, string packageVersion, IEnumerable<string> complianceFailures)
+        {
+            TrackMetricForPackage(
+                Events.PackageMetadataComplianceError, 
+                packageId, 
+                packageVersion,
+                properties => {
+                    properties.Add(ComplianceFailures, JsonConvert.SerializeObject(complianceFailures, _defaultJsonSerializerSettings));
+                });
+        }
+
+        public void TrackPackageMetadataComplianceWarning(string packageId, string packageVersion, IEnumerable<string> complianceWarnings)
+        {
+            TrackMetricForPackage(
+                Events.PackageMetadataComplianceWarning,
+                packageId,
+                packageVersion,
+                properties => {
+                    properties.Add(ComplianceWarnings, JsonConvert.SerializeObject(complianceWarnings, _defaultJsonSerializerSettings));
+                });
+        }
+
+        public void TrackPackageOwnershipAutomaticallyAdded(string packageId, string packageVersion)
+        {
+            TrackMetricForPackage(
+                Events.PackageOwnershipAutomaticallyAdded, 
+                packageId, 
+                packageVersion);
+        }
+
         public void TrackCertificateAdded(string thumbprint)
         {
             TrackMetricForCertificateActivity(Events.CertificateAdded, thumbprint);

tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs

@@ -1580,13 +1580,16 @@ private static ISecurityPolicyService CreateSecurityPolicyService(
                     var configurationMock = new Mock<IAppConfiguration>(MockBehavior.Strict);
                     configurationMock.SetupGet(m => m.EnforceDefaultSecurityPolicies).Returns(false);
 
+                    var telemetryServiceMock = new Mock<ITelemetryService>();
+
                     return new SecurityPolicyService(
                         entitiesContext,
                         auditing,
                         diagnostics,
                         configurationMock.Object,
                         userServiceFactory,
-                        packageOwnershipManagementServiceFactory);
+                        packageOwnershipManagementServiceFactory,
+                        telemetryServiceMock.Object);
                 }
 
                 private static Mock<TestPackageReader> CreatePackage(

tests/NuGetGallery.Facts/Security/MicrosoftTeamSubscriptionFacts.cs

@@ -26,6 +26,7 @@ public void Policies_ReturnsMicrosoftTeamSubscriptionPolicies()
                 "\"copy\":" +
                 "[" +
                 "\"(c) Microsoft Corporation. All rights reserved.\"," +
+                "\"© Microsoft Corporation. All rights reserved.\"," +
                 "\"© Microsoft Corporation. All rights reserved.\"," +
                 "\"© Microsoft Corporation. Tüm hakları saklıdır.\"," +
                 "\"© Microsoft Corporation. Todos os direitos reservados.\"," +