[OIDC 17] Add token API for trading bearer token for API key (#10308)

* [OIDC] Add token API for trading bearer token for API key
* Add hard enable/disable switch for the token api controller
* Use camelCase like our other JSON APIs

Author: joelverhagen

src/NuGetGallery.Services/Authentication/AuthenticationTypes.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 namespace NuGetGallery.Authentication
@@ -8,5 +8,6 @@ public static class AuthenticationTypes
         public static readonly string External = "External";
         public static readonly string LocalUser = "LocalUser";
         public static readonly string ApiKey = "ApiKey";
+        public static readonly string Federated = "Federated";
     }
-}
+}

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialConfiguration.cs

@@ -12,6 +12,12 @@ namespace NuGetGallery.Services.Authentication
 {
     public interface IFederatedCredentialConfiguration
     {
+        /// <summary>
+        /// A hard switch to enable the token API. This is set by a deployment-time configuration to reduce the
+        /// complexity of checking whether the token API is enabled (compared to feature flags).
+        /// </summary>
+        bool EnableTokenApi { get; }
+
         /// <summary>
         /// The expected audience for the incoming token. This is the "aud" claim and should be specific to the gallery
         /// service itself (not shared between multiple services). This is used only for Entra ID token validation.
@@ -35,6 +41,8 @@ public interface IFederatedCredentialConfiguration
 
     public class FederatedCredentialConfiguration : IFederatedCredentialConfiguration
     {
+        public bool EnableTokenApi { get; set; }
+
         public string? EntraIdAudience { get; set; }
 
         public TimeSpan ShortLivedApiKeyDuration { get; set; } = TimeSpan.FromMinutes(15);

src/NuGetGallery/App_Start/Routes.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 using System.Web.Mvc;
 using System.Web.Routing;
@@ -907,6 +907,12 @@ public static void RegisterApiV2Routes(RouteCollection routes)
                 RouteName.ApiSimulateError,
                 "api/simulate-error",
                 new { controller = "Api", action = nameof(ApiController.SimulateError) });
+
+            routes.MapRoute(
+                RouteName.CreateToken,
+                "api/v2/token",
+                defaults: new { controller = TokenApiController.ControllerName, action = nameof(TokenApiController.CreateToken) },
+                constraints: new { httpMethod = new HttpMethodConstraint("POST") });
         }
     }
-}
+}

src/NuGetGallery/Controllers/TokenApiController.cs

@@ -0,0 +1,174 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Specialized;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+using System.Web.Mvc;
+using NuGetGallery.Authentication;
+using NuGetGallery.Services.Authentication;
+
+#nullable enable
+
+namespace NuGetGallery
+{
+    public class CreateTokenRequest
+    {
+        public string? Username { get; set; }
+
+        public string? TokenType { get; set; }
+    }
+
+    public class TokenApiController : AppController
+    {
+        public static readonly string ControllerName = nameof(TokenApiController).Replace("Controller", string.Empty);
+        private const string JsonContentType = "application/json";
+        private const string ApiKeyTokenType = "ApiKey";
+        private const string BearerScheme = "Bearer";
+        private const string BearerPrefix = $"{BearerScheme} ";
+        private const string AuthorizationHeaderName = "Authorization";
+
+        private readonly IFederatedCredentialService _federatedCredentialService;
+        private readonly IFederatedCredentialConfiguration _configuration;
+
+        public TokenApiController(
+            IFederatedCredentialService federatedCredentialService,
+            IFederatedCredentialConfiguration configuration)
+        {
+            _federatedCredentialService = federatedCredentialService ?? throw new ArgumentNullException(nameof(federatedCredentialService));
+            _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
+        }
+
+#pragma warning disable CA3147 // No need to validate Antiforgery Token with API request
+        [HttpPost]
+        [ActionName(RouteName.CreateToken)]
+        [AllowAnonymous] // authentication is handled inside the action
+        public async Task<ActionResult> CreateToken(CreateTokenRequest request)
+#pragma warning restore CA3147 // No need to validate Antiforgery Token with API request
+        {
+            if (!_configuration.EnableTokenApi)
+            {
+                return HttpNotFound();
+            }
+
+            if (!TryGetBearerToken(Request.Headers, out var bearerToken, out var errorMessage))
+            {
+                return UnauthorizedJson(errorMessage!);
+            }
+
+            if (User.Identity.IsAuthenticated)
+            {
+                return UnauthorizedJson("Only Bearer token authentication is accepted.");
+            }
+
+            if (!MediaTypeWithQualityHeaderValue.TryParse(Request.ContentType, out var parsed)
+                || !string.Equals(parsed.MediaType, JsonContentType, StringComparison.OrdinalIgnoreCase))
+            {
+                return ErrorJson(HttpStatusCode.UnsupportedMediaType, $"The request must have a Content-Type of '{JsonContentType}'.");
+            }
+
+            if (string.IsNullOrWhiteSpace(Request.UserAgent))
+            {
+                return ErrorJson(HttpStatusCode.BadRequest, "A User-Agent header is required.");
+            }
+
+            if (string.IsNullOrWhiteSpace(request?.Username))
+            {
+                return ErrorJson(HttpStatusCode.BadRequest, "The username property in the request body is required.");
+            }
+
+            if (request?.TokenType != ApiKeyTokenType)
+            {
+                return ErrorJson(HttpStatusCode.BadRequest, $"The tokenType property in the request body is required and must set to '{ApiKeyTokenType}'.");
+            }
+
+            var result = await _federatedCredentialService.GenerateApiKeyAsync(request!.Username!, bearerToken!, Request.Headers);
+
+            return result.Type switch
+            {
+                GenerateApiKeyResultType.BadRequest => ErrorJson(HttpStatusCode.BadRequest, result.UserMessage),
+                GenerateApiKeyResultType.Unauthorized => UnauthorizedJson(result.UserMessage),
+                GenerateApiKeyResultType.Created => ApiKeyJson(result),
+                _ => throw new NotImplementedException($"Unexpected result type: {result.Type}"),
+            };
+        }
+
+        private JsonResult ApiKeyJson(GenerateApiKeyResult result)
+        {
+            return Json(HttpStatusCode.OK, new
+            {
+                tokenType = ApiKeyTokenType,
+                expires = result.Expires.ToString("O"),
+                apiKey = result.PlaintextApiKey,
+            });
+        }
+
+        private JsonResult UnauthorizedJson(string errorMessage)
+        {
+            // Add the "Federated" challenge so the other authentication providers (such as the default sign-in) are not triggered.
+            OwinContext.Authentication.Challenge(AuthenticationTypes.Federated);
+
+            Response.Headers["WWW-Authenticate"] = BearerScheme;
+
+            return ErrorJson(HttpStatusCode.Unauthorized, errorMessage);
+        }
+
+        private JsonResult ErrorJson(HttpStatusCode status, string errorMessage)
+        {
+            // Show the error message in the HTTP reason phrase (status description) for compatibility with NuGet client error "protocol".
+            // This, and the response body below, could be formalized with https://github.com/NuGet/NuGetGallery/issues/5818
+            Response.StatusDescription = errorMessage;
+
+            return Json(status, new { error = errorMessage });
+        }
+
+        private static bool TryGetBearerToken(NameValueCollection requestHeaders, out string? bearerToken, out string? errorMessage)
+        {
+            var authorizationHeaders = requestHeaders.GetValues(AuthorizationHeaderName);
+            if (authorizationHeaders is null || authorizationHeaders.Length == 0)
+            {
+                bearerToken = null;
+                errorMessage = $"The {AuthorizationHeaderName} header is missing.";
+                return false;
+            }
+
+            if (authorizationHeaders.Length > 1)
+            {
+                bearerToken = null;
+                errorMessage = $"Only one {AuthorizationHeaderName} header is allowed.";
+                return false;
+            }
+
+            var authorizationHeader = authorizationHeaders[0];
+            if (!authorizationHeader.StartsWith(BearerPrefix, StringComparison.OrdinalIgnoreCase))
+            {
+                bearerToken = null;
+                errorMessage = $"The {AuthorizationHeaderName} header value must start with '{BearerPrefix}'.";
+                return false;
+            }
+
+            const string missingToken = $"The bearer token is missing from the {AuthorizationHeaderName} header.";
+
+            if (authorizationHeader.Length <= BearerPrefix.Length)
+            {
+                bearerToken = null;
+                errorMessage = missingToken;
+                return false;
+            }
+
+            bearerToken = authorizationHeader.Substring(BearerPrefix.Length);
+            if (string.IsNullOrWhiteSpace(bearerToken))
+            {
+                bearerToken = null;
+                errorMessage = missingToken;
+                return false;
+            }
+
+            bearerToken = bearerToken.Trim();
+            errorMessage = null;
+            return true;
+        }
+    }
+}

src/NuGetGallery/NuGetGallery.csproj

@@ -235,6 +235,7 @@
     <Compile Include="Authentication\AuthDependenciesModule.cs" />
     <Compile Include="Controllers\ExperimentsController.cs" />
     <Compile Include="Controllers\ManageDeprecationJsonApiController.cs" />
+    <Compile Include="Controllers\TokenApiController.cs" />
     <Compile Include="ExtensionMethods.cs" />
     <Compile Include="Extensions\CakeBuildManagerExtensions.cs" />
     <Compile Include="Extensions\ImageExtensions.cs" />

src/NuGetGallery/RouteName.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 namespace NuGetGallery
@@ -118,5 +118,6 @@ public static class RouteName
         public const string PackageRevalidateAction = "PackageRevalidateAction";
         public const string PackageRevalidateSymbolsAction = "PackageRevalidateSymbolsAction";
         public const string Send2FAFeedback = "Send2FAFeedback";
+        public const string CreateToken = "CreateToken";
     }
-}
+}

src/NuGetGallery/Web.config

@@ -203,6 +203,8 @@
     <add key="PackageDelete.MaximumDownloadsForPackageVersion" value=""/>
     <add key="Gallery.BlockLegacyLicenseUrl" value="false"/>
     <add key="Gallery.AllowLicenselessPackages" value="true"/>
+    <add key="FederatedCredential.EnableTokenApi" value="false"/>
+    <add key="FederatedCredential.EntraIdAudience" value=""/>
     <add key="FederatedCredential.ShortLivedApiKeyDuration" value="00:20:00"/>
     <add key="FederatedCredential.EntraIdAudience" value=""/>
     <!-- *********************** -->
@@ -534,10 +536,10 @@
   </system.diagnostics>
   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
-			<dependentAssembly>
-				<assemblyIdentity name="Microsoft.Identity.Client" publicKeyToken="0A613F4DD989E8AE" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.67.2.0" newVersion="4.67.2.0"/>
-			</dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="Microsoft.Identity.Client" publicKeyToken="0A613F4DD989E8AE" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.67.2.0" newVersion="4.67.2.0"/>
+      </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Extensions.Caching.Memory" publicKeyToken="ADB9793829DDAE60" culture="neutral"/>
         <bindingRedirect oldVersion="0.0.0.0-8.0.0.1" newVersion="8.0.0.1"/>
@@ -757,7 +759,7 @@
       <dependentAssembly>
         <assemblyIdentity name="AngleSharp" publicKeyToken="e83494dcdc6d31ea" culture="neutral"/>
         <bindingRedirect oldVersion="0.0.0.0-0.17.1.0" newVersion="0.17.1.0"/>
-      </dependentAssembly>      
+      </dependentAssembly>
     </assemblyBinding>
   </runtime>
-</configuration>
+</configuration>

tests/NuGetGallery.Facts/Controllers/ControllerTests.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -75,6 +75,7 @@ public void AllActionsHaveAntiForgeryTokenIfNotGet()
                 new ControllerActionRuleException(typeof(ApiController), nameof(ApiController.PublishPackage)),
                 new ControllerActionRuleException(typeof(ApiController), nameof(ApiController.DeprecatePackage)),
                 new ControllerActionRuleException(typeof(PackagesController), nameof(PackagesController.DisplayPackage)),
+                new ControllerActionRuleException(typeof(TokenApiController), nameof(TokenApiController.CreateToken)),
             };
 
             // Act
@@ -198,4 +199,4 @@ private static string DisplayMethodName(MethodInfo m)
             return $"{m.DeclaringType.FullName}.{m.Name}";
         }
     }
-}
+}