[OIDC] Add method to create a short-lived API key (minimal) (#10267)

This is a stub implementation until we have finalized the new API key design.

Author: joelverhagen

src/NuGetGallery.Services/Authentication/CredentialBuilder.cs

@@ -6,6 +6,7 @@
 using System.Linq;
 using NuGet.Services.Entities;
 using NuGetGallery.Authentication;
+using NuGetGallery.Services.Authentication;
 
 namespace NuGetGallery.Infrastructure.Authentication
 {
@@ -28,6 +29,28 @@ public Credential CreatePasswordCredential(string plaintextPassword)
                 V3Hasher.GenerateHash(plaintextPassword));
         }
 
+        public Credential CreateShortLivedApiKey(TimeSpan expiration, FederatedCredentialPolicy policy, out string plaintextApiKey)
+        {
+            if (policy.PackageOwner is null)
+            {
+                throw new ArgumentException($"The {nameof(policy.PackageOwner)} property on the policy must not be null.");
+            }
+
+            if (expiration <= TimeSpan.Zero || expiration > TimeSpan.FromHours(1))
+            {
+                throw new ArgumentOutOfRangeException(nameof(expiration));
+            }
+
+            // TODO: introduce a new API key type for short-lived API keys
+            // Tracking: https://github.com/NuGet/NuGetGallery/issues/10212
+            var credential = CreateApiKey(expiration, out plaintextApiKey);
+
+            credential.Description = "Short-lived API key generated via a federated credential";
+            credential.Scopes = [new Scope(policy.PackageOwner, NuGetPackagePattern.AllInclusivePattern, NuGetScopes.All)];
+
+            return credential;
+        }
+
         public Credential CreateApiKey(TimeSpan? expiration, out string plaintextApiKey)
         {
             var apiKey = ApiKeyV4.Create();

src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs

@@ -20,5 +20,7 @@ public interface ICredentialBuilder
         IList<Scope> BuildScopes(User scopeOwner, string[] scopes, string[] subjects);
 
         bool VerifyScopes(User currentUser, IEnumerable<Scope> scopes);
+
+        Credential CreateShortLivedApiKey(TimeSpan expiration, FederatedCredentialPolicy policy, out string plaintextApiKey);
     }
 }

tests/NuGetGallery.Facts/Authentication/CredentialBuilderFacts.cs

@@ -0,0 +1,83 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using NuGet.Services.Entities;
+using NuGetGallery.Authentication;
+using Xunit;
+
+namespace NuGetGallery.Infrastructure.Authentication
+{
+    public class CredentialBuilderFacts
+    {
+        public class TheCreateShortLivedApiKeyMethod : CredentialBuilderFacts
+        {
+            [Fact]
+            public void CreatesShortLivedApiKey()
+            {
+                // Act
+                var credential = Target.CreateShortLivedApiKey(Expiration, Policy, out var plaintextApiKey);
+
+                // Assert
+                Assert.Null(credential.User);
+                Assert.Equal(default, credential.UserKey);
+                Assert.StartsWith("oy2", plaintextApiKey, StringComparison.Ordinal);
+                Assert.Equal(CredentialTypes.ApiKey.V4, credential.Type);
+                Assert.Equal("Short-lived API key generated via a federated credential", credential.Description);
+                Assert.Equal(Expiration.Ticks, credential.ExpirationTicks);
+                Assert.Null(credential.User);
+
+                var scope = Assert.Single(credential.Scopes);
+                Assert.Equal(NuGetScopes.All, scope.AllowedAction);
+                Assert.Equal(NuGetPackagePattern.AllInclusivePattern, scope.Subject);
+                Assert.Same(Policy.PackageOwner, scope.Owner);
+            }
+
+            [Fact]
+            public void RejectsMissingPackageOwner()
+            {
+                // Arrange
+                Policy.PackageOwner = null;
+
+                // Act
+                Assert.Throws<ArgumentException>(() => Target.CreateShortLivedApiKey(Expiration, Policy, out var plaintextApiKey));
+            }
+
+            [Theory]
+            [InlineData(-1)]
+            [InlineData(0)]
+            [InlineData(61)]
+            public void RejectsOutOfRangeExpiration(int expirationMinutes)
+            {
+                // Arrange
+                Expiration = TimeSpan.FromMinutes(expirationMinutes);
+
+                // Act
+                Assert.Throws<ArgumentOutOfRangeException>(() => Target.CreateShortLivedApiKey(Expiration, Policy, out var plaintextApiKey));
+            }
+
+            public FederatedCredentialPolicy Policy { get; }
+
+            public TheCreateShortLivedApiKeyMethod()
+            {
+                Policy = new FederatedCredentialPolicy
+                {
+                    Key = 23,
+                    PackageOwner = new User { Key = 42 },
+                    CreatedBy = new User { Key = 43 },
+                };
+            }
+        }
+
+        public TimeSpan Expiration { get; set; }
+
+        public CredentialBuilder Target { get; }
+
+        public CredentialBuilderFacts()
+        {
+            Expiration = TimeSpan.FromMinutes(13);
+
+            Target = new CredentialBuilder();
+        }
+    }
+}