Narrow PackageIdScopeMismatch message to only subject-specific failures

Agent-Logs-Url: https://github.com/NuGet/NuGetGallery/sessions/ea627cbc-c05e-4934-a5db-f026d6e804ee

Co-authored-by: joelverhagen <[email protected]>

Author: Copilot

src/NuGetGallery.Services/Authentication/ApiScopeEvaluationResult.cs

@@ -30,11 +30,18 @@ public class ApiScopeEvaluationResult
         public bool IsOwnerConfirmed => Owner != null && Owner.Confirmed;
         public bool IsOwnerLocked => Owner != null && Owner.IsLocked;
 
-        public ApiScopeEvaluationResult(User owner, PermissionsCheckResult permissionsCheckResult, bool scopesAreValid)
+        /// <summary>
+        /// True when <see cref="ScopesAreValid"/> is false and at least one scope allows the requested action,
+        /// meaning the mismatch is specifically because no scope's subject pattern matches the package ID.
+        /// </summary>
+        public bool IsPackageIdScopeMismatch { get; }
+
+        public ApiScopeEvaluationResult(User owner, PermissionsCheckResult permissionsCheckResult, bool scopesAreValid, bool isPackageIdScopeMismatch = false)
         {
             ScopesAreValid = scopesAreValid;
             PermissionsCheckResult = permissionsCheckResult;
             Owner = owner;
+            IsPackageIdScopeMismatch = isPackageIdScopeMismatch;
         }
 
         /// <summary>

src/NuGetGallery.Services/Authentication/ApiScopeEvaluator.cs

@@ -72,7 +72,11 @@ internal ApiScopeEvaluationResult Evaluate<TEntity>(
 
             if (matchingScope == null)
             {
-                return new ApiScopeEvaluationResult(ownerInScope, PermissionsCheckResult.Unknown, scopesAreValid: false);
+                // Determine whether the subject (package ID) is specifically what caused the mismatch,
+                // by checking whether any scope allows the requested action regardless of subject.
+                var isPackageIdScopeMismatch = requestedActions != null
+                    && scopes.Any(scope => scope.AllowsActions(requestedActions));
+                return new ApiScopeEvaluationResult(ownerInScope, PermissionsCheckResult.Unknown, scopesAreValid: false, isPackageIdScopeMismatch: isPackageIdScopeMismatch);
             }
 
             var isActionAllowed = action.CheckPermissions(currentUser, ownerInScope, entity);

src/NuGetGallery/Controllers/ApiController.cs

@@ -1227,7 +1227,7 @@ private HttpStatusCodeWithBodyResult GetHttpResultFromFailedApiScopeEvaluationHe
             }
 
             string message;
-            if (!result.ScopesAreValid)
+            if (result.IsPackageIdScopeMismatch)
             {
                 message = Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch;
             }

tests/NuGetGallery.Facts/Authentication/ApiScopeEvaluatorFacts.cs

@@ -41,9 +41,10 @@ private void AssertResult(ApiScopeEvaluationResult result, User owner, Permissio
                 Assert.True(owner.MatchesUser(result.Owner));
             }
 
-            private void AssertScopesNotValidResult(ApiScopeEvaluationResult result)
+            private void AssertScopesNotValidResult(ApiScopeEvaluationResult result, bool isPackageIdScopeMismatch = false)
             {
                 AssertResult(result, owner: null, permissionsCheckResult: PermissionsCheckResult.Unknown, scopesAreValid: false);
+                Assert.Equal(isPackageIdScopeMismatch, result.IsPackageIdScopeMismatch);
             }
 
             [Fact]
@@ -77,6 +78,21 @@ public void ReturnsForbiddenWhenActionIsNotAllowedByScope()
                 AssertScopesNotValidResult(result);
             }
 
+            [Fact]
+            public void SetsIsPackageIdScopeMismatchWhenSubjectDoesNotMatchButActionDoes()
+            {
+                // Arrange
+                var scope = new Scope("notallowed", NuGetScopes.PackagePush);
+
+                var apiScopeEvaluator = Setup();
+
+                // Act
+                var result = apiScopeEvaluator.Evaluate(null, new[] { scope }, null, null, DefaultGetSubjectFromEntity, NuGetScopes.PackagePush);
+
+                // Assert
+                AssertScopesNotValidResult(result, isPackageIdScopeMismatch: true);
+            }
+
             public static IEnumerable<object[]> EvaluatesNoScopesAsAllInclusive_Data
             {
                 get

tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs

@@ -205,7 +205,8 @@ public static IEnumerable<object[]> InvalidScopes_Data
         {
             get
             {
-                yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch);
+                yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false, isPackageIdScopeMismatch: true), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch);
+                yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false, isPackageIdScopeMismatch: false), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized);
 
                 foreach (var result in Enum.GetValues(typeof(PermissionsCheckResult)).Cast<PermissionsCheckResult>())
                 {