[OIDC] Add federated credential entities (no DB change yet) (#10252)

Author: joelverhagen

src/NuGet.Services.Entities/FederatedCredential.cs

@@ -0,0 +1,51 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// The record of a federated credential that was accepted by a federated credential policy.
+    /// </summary>
+    public class FederatedCredential : IEntity
+    {
+        /// <summary>
+        /// The unique key for this federated credential. Generated by the database.
+        /// </summary>
+        public int Key { get; set; }
+
+        /// <summary>
+        /// A type enum of the <see cref="FederatedCredentialPolicy.Type"/> that accepted this federated credential.
+        /// </summary>
+        [Required]
+        [Column("TypeKey")]
+        public FederatedCredentialType Type { get; set; }
+
+        /// <summary>
+        /// The key of the federated credential policy that accepted this federated credential. This does not have a
+        /// foreign key constraint because the policy may be deleted, but the credential record should remain to ensure
+        /// the <see cref="Identity"/> unique constraint is enforced (to prevent replay).
+        /// </summary>
+        public int FederatedCredentialPolicyKey { get; set; }
+
+        /// <summary>
+        /// A unique identifier for the federated credential used to create this credential record. For OIDC tokens,
+        /// this is the "jti" or "uti" claim. This must be unique to ensure tokens are not replayed.
+        /// </summary>
+        [StringLength(maximumLength: 64)]
+        public string Identity { get; set; }
+
+        /// <summary>
+        /// When this record was first created. The timestamp is in UTC.
+        /// </summary>
+        public DateTime Created { get; set; }
+
+        /// <summary>
+        /// When the federated credential expires. For OIDC tokens, this will be the "exp" claim. The timestamp is in UTC.
+        /// </summary>
+        public DateTime Expires { get; set; }
+    }
+}

src/NuGet.Services.Entities/FederatedCredentialPolicy.cs

@@ -0,0 +1,86 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// This entity defines which federated credentials can operate on behalf of a user. The policy is used to evaluate
+    /// an incoming federated credential and define what actions can be taken on behalf of the user.
+    /// </summary>
+    public class FederatedCredentialPolicy : IEntity
+    {
+        /// <summary>
+        /// The unique key for this federated credential policy. Generated by the database.
+        /// </summary>
+        public int Key { get; set; }
+
+        /// <summary>
+        /// When this entity was first created. The timestamp is in UTC.
+        /// </summary>
+        public DateTime Created { get; set; }
+
+        /// <summary>
+        /// When this policy was last evaluated against an external credential and it matched. The timestamp is in UTC.
+        /// </summary>
+        public DateTime? LastMatched { get; set; }
+
+        /// <summary>
+        /// A type enum to determine how the <see cref="Criteria"/> field should be interpreted.
+        ///
+        /// Think of this field as a category of federated credential, where a given type value is specific to a
+        /// particular identity provider (e.g. Entra ID) and specific type of credential provided by that identity
+        /// provider (e.g. OpenID Connect token for a service principal in the app-only flow).
+        ///
+        /// The type should be one of the values defined in <see cref="FederatedCredentialType"/>.
+        ///
+        /// This column name ends in "Key" to allow a future where this is normalized into its own table, much like
+        /// <see cref="Package.PackageStatusKey"/> and <see cref="Package.SemVerLevelKey"/>.
+        /// </summary>
+        [Required]
+        [Column("TypeKey")]
+        public FederatedCredentialType Type { get; set; }
+
+        /// <summary>
+        /// A JSON object used to evaluate whether a token matches a user-provided pattern. Some criteria may be
+        /// implied by the <see cref="System.Type"/> and may not be explicitly states in this field. Only criteria that varies
+        /// from user to user or between individual cases should be expressed in this JSON object.
+        ///
+        /// The maximum length is defined by the application and has an unbounded length in the database.
+        /// </summary>
+        [Required]
+        public string Criteria { get; set; }
+
+        /// <summary>
+        /// The key of the user that created this policy. If this policy was created by a site admin, this key will
+        /// point to the user record that the site admin was acting on behalf of, not the site admin themselves.
+        /// </summary>
+        public int CreatedByUserKey { get; set; }
+
+        /// <summary>
+        /// The key of the owner user or owner organization that this policy will create API keys scoped for. This is
+        /// the user or organization that the user referred to by <see cref="UserKey"/> is acting on behalf of. This
+        /// value will be used in resulting short-lived API keys in the <see cref="Scope.OwnerKey"/> value.
+        /// </summary>
+        public int PackageOwnerUserKey { get; set; }
+
+        /// <summary>
+        /// The navigation property for the user that created the policy, defined by <see cref="CreatedByUserKey"/>.
+        /// </summary>
+        public virtual User CreatedBy { get; set; }
+
+        /// <summary>
+        /// The navigation property for the package owner user, defined by <see cref="PackageOwnerUserKey"/>.
+        /// </summary>
+        public virtual User PackageOwner { get; set; }
+
+        /// <summary>
+        /// The navigation property for the credentials that were allowed and created by this policy.
+        /// </summary>
+        public virtual ICollection<Credential> Credentials { get; set; }
+    }
+}

src/NuGet.Services.Entities/FederatedCredentialType.cs

@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// The types of federated credentials criteria that can be used to validate external credentials. This
+    /// enum is used for the <see cref="FederatedCredentialPolicy.Type"/> property.
+    /// </summary>
+    public enum FederatedCredentialType
+    {
+        /// <summary>
+        /// This credential type applies to Microsoft Entra ID OpenID Connect (OIDC) tokens, issued for a specific
+        /// service principal. The service principal is identified by a tenant (directory ID) and an object ID (object
+        /// ID). The application (client) ID is not used because the object ID uniquely identifies the service principal
+        /// within the tenant. An object ID is required to show the service principal is provisioned within the tenant.
+        ///
+        /// Additional validation is done on the token claims which are the same for all Entra ID tokens, such as
+        /// subject and expiration claims.
+        /// </summary>
+        EntraIdServicePrincipal = 1,
+    }
+}

src/NuGetGallery/App_Start/DefaultDependenciesModule.cs

@@ -282,6 +282,16 @@ protected override void Load(ContainerBuilder builder)
                 .As<IEntityRepository<PackageRename>>()
                 .InstancePerLifetimeScope();
 
+            builder.RegisterType<EntityRepository<FederatedCredentialPolicy>>()
+                .AsSelf()
+                .As<IEntityRepository<FederatedCredentialPolicy>>()
+                .InstancePerLifetimeScope();
+
+            builder.RegisterType<EntityRepository<FederatedCredential>>()
+                .AsSelf()
+                .As<IEntityRepository<FederatedCredential>>()
+                .InstancePerLifetimeScope();
+
             ConfigureGalleryReadOnlyReplicaEntitiesContext(builder, loggerFactory, configuration, secretInjector, telemetryService);
 
             var supportDbConnectionFactory = CreateDbConnectionFactory(