Adds User's MFA status when an API key is created (#8947)

Author: advay26

src/NuGet.Services.Entities/Credential.cs

@@ -84,6 +84,8 @@ public Credential(string type, string value, TimeSpan? expiration)
 
         public CredentialRevocationSource? RevocationSourceKey { get; set; }
 
+        public bool? WasCreatedSecurely { get; set; }
+
         public virtual User User { get; set; }
 
         public virtual ICollection<Scope> Scopes { get; set; }

src/NuGetGallery/Controllers/UsersController.cs

@@ -1053,6 +1053,7 @@ private async Task<CredentialViewModel> GenerateApiKeyInternal(string descriptio
             var newCredential = _credentialBuilder.CreateApiKey(expiration, out string plaintextApiKey);
             newCredential.Description = description;
             newCredential.Scopes = scopes;
+            newCredential.WasCreatedSecurely = User.WasMultiFactorAuthenticated();
 
             await AuthenticationService.AddCredential(user, newCredential);
 

src/NuGetGallery/Migrations/202202010109383_AddCreatedSecurelyToCredentials.Designer.cs

@@ -0,0 +1,18 @@
+namespace NuGetGallery.Migrations
+{
+    using System;
+    using System.Data.Entity.Migrations;
+    
+    public partial class AddCreatedSecurelyToCredentials : DbMigration
+    {
+        public override void Up()
+        {
+            AddColumn("dbo.Credentials", "WasCreatedSecurely", c => c.Boolean());
+        }
+        
+        public override void Down()
+        {
+            DropColumn("dbo.Credentials", "WasCreatedSecurely");
+        }
+    }
+}

src/NuGetGallery/Migrations/202202010109383_AddCreatedSecurelyToCredentials.cs

@@ -319,6 +319,10 @@
     <Compile Include="Migrations\202201242159337_AddUserStatusKeyColumn.designer.cs">
       <DependentUpon>202201242159337_AddUserStatusKeyColumn.cs</DependentUpon>
     </Compile>
+    <Compile Include="Migrations\202202010109383_AddCreatedSecurelyToCredentials.cs" />
+    <Compile Include="Migrations\202202010109383_AddCreatedSecurelyToCredentials.designer.cs">
+      <DependentUpon>202202010109383_AddCreatedSecurelyToCredentials.cs</DependentUpon>
+    </Compile>
     <Compile Include="Modules\CookieComplianceHttpModule.cs" />
     <Compile Include="RequestModels\DeletePackagesApiRequest.cs" />
     <Compile Include="RequestModels\UpdateListedRequest.cs" />
@@ -1660,6 +1664,9 @@
     <EmbeddedResource Include="Migrations\202201242159337_AddUserStatusKeyColumn.resx">
       <DependentUpon>202201242159337_AddUserStatusKeyColumn.cs</DependentUpon>
     </EmbeddedResource>
+    <EmbeddedResource Include="Migrations\202202010109383_AddCreatedSecurelyToCredentials.resx">
+      <DependentUpon>202202010109383_AddCreatedSecurelyToCredentials.cs</DependentUpon>
+    </EmbeddedResource>
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1packages.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1search.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv2getupdates.json" />

src/NuGetGallery/Migrations/202202010109383_AddCreatedSecurelyToCredentials.resx

@@ -906,6 +906,58 @@ await controller.GenerateApiKey(
                 Assert.NotNull(apiKey);
                 Assert.Equal(description, apiKey.Description);
                 Assert.Equal(expectedScopes.Length, apiKey.Scopes.Count);
+                Assert.False(apiKey.WasCreatedSecurely);
+
+                foreach (var expectedScope in expectedScopes)
+                {
+                    var actualScope =
+                        apiKey.Scopes.First(x => x.AllowedAction == expectedScope.AllowedAction &&
+                                                 x.Subject == expectedScope.Subject);
+                    Assert.NotNull(actualScope);
+                }
+            }
+
+            [MemberData(nameof(CreatesNewApiKeyCredential_Input))]
+            [Theory]
+            public async Task CreatesNewApiKeyCredentialSecurely(string description, string[] scopes, string[] subjects, Scope[] expectedScopes)
+            {
+                // Arrange 
+                var user = new User("the-username");
+                GetMock<IUserService>()
+                    .Setup(u => u.FindByUsername(user.Username, false))
+                    .Returns(user);
+
+                GetMock<AuthenticationService>()
+                   .Setup(u => u.AddCredential(
+                       It.IsAny<User>(),
+                       It.IsAny<Credential>()))
+                   .Callback<User, Credential>((u, c) =>
+                   {
+                       u.Credentials.Add(c);
+                       c.User = u;
+                   })
+                   .Completes()
+                   .Verifiable();
+
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+                controller.OwinContext.AddClaim(NuGetClaims.WasMultiFactorAuthenticated);
+
+                // Act
+                await controller.GenerateApiKey(
+                    description: description,
+                    owner: user.Username,
+                    scopes: scopes,
+                    subjects: subjects,
+                    expirationInDays: null);
+
+                // Assert
+                var apiKey = user.Credentials.FirstOrDefault(x => x.Type == CredentialTypes.ApiKey.V4);
+
+                Assert.NotNull(apiKey);
+                Assert.Equal(description, apiKey.Description);
+                Assert.Equal(expectedScopes.Length, apiKey.Scopes.Count);
+                Assert.True(apiKey.WasCreatedSecurely);
 
                 foreach (var expectedScope in expectedScopes)
                 {