Move GitHub vulnerabilities verifier to its own Job (#8146)

* Move PVA Verify command to its own job, use Key Vault secrets for db auth

Author: drewgillies

NuGetGallery.sln

@@ -50,6 +50,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitHubVulnerabilities2Db",
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitHubVulnerabilities2Db.Facts", "tests\GitHubVulnerabilities2Db.Facts\GitHubVulnerabilities2Db.Facts.csproj", "{E50953CB-209A-484E-951D-A68F5CF3C546}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "VerifyGitHubVulnerabilities", "src\VerifyGitHubVulnerabilities\VerifyGitHubVulnerabilities.csproj", "{C0B764D2-D376-439E-A5C4-1AC41B11E9DE}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -124,6 +126,10 @@ Global
 		{E50953CB-209A-484E-951D-A68F5CF3C546}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E50953CB-209A-484E-951D-A68F5CF3C546}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E50953CB-209A-484E-951D-A68F5CF3C546}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C0B764D2-D376-439E-A5C4-1AC41B11E9DE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C0B764D2-D376-439E-A5C4-1AC41B11E9DE}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C0B764D2-D376-439E-A5C4-1AC41B11E9DE}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C0B764D2-D376-439E-A5C4-1AC41B11E9DE}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -146,6 +152,7 @@ Global
 		{98765110-844D-41BE-8083-22E064136E05} = {39E54EC3-CBAA-453A-BE64-748FE1559A58}
 		{26BB718A-E1C1-4E70-9008-FB8EE7A7F7E5} = {2204C510-A559-4ED7-9590-FDC09093575B}
 		{E50953CB-209A-484E-951D-A68F5CF3C546} = {39E54EC3-CBAA-453A-BE64-748FE1559A58}
+		{C0B764D2-D376-439E-A5C4-1AC41B11E9DE} = {2204C510-A559-4ED7-9590-FDC09093575B}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {064A3BDE-5203-4AD6-A6C9-5CF08301EC8F}

build.ps1

@@ -116,6 +116,7 @@ Invoke-BuildStep 'Creating artifacts' { `
     New-Package (Join-Path $PSScriptRoot "src\AccountDeleter\Gallery.AccountDeleter.nuspec") -Configuration $Configuration -BuildNumber $BuildNumber -Version $SemanticVersion -Branch $Branch -MSBuildVersion "15"
     New-Package (Join-Path $PSScriptRoot "src\GitHubVulnerabilities2Db\GitHubVulnerabilities2Db.nuspec") -Configuration $Configuration -BuildNumber $BuildNumber -Version $SemanticVersion -Branch $Branch -MSBuildVersion "15"
     New-Package (Join-Path $PSScriptRoot "src\GalleryTools\Gallery.GalleryTools.nuspec") -Configuration $Configuration -BuildNumber $BuildNumber -Version $SemanticVersion -Branch $Branch -MSBuildVersion "15"
+    New-Package (Join-Path $PSScriptRoot "src\VerifyGitHubVulnerabilities\VerifyGitHubVulnerabilities.nuspec") -Configuration $Configuration -BuildNumber $BuildNumber -Version $SemanticVersion -Branch $Branch -MSBuildVersion "15"
 
     if (!$VerifyMicrosoftPackageVersion) { $VerifyMicrosoftPackageVersion = $SemanticVersion }
     New-Package (Join-Path $PSScriptRoot "src\VerifyMicrosoftPackage\VerifyMicrosoftPackage.nuspec") -Configuration $Configuration -BuildNumber $BuildNumber -Version $VerifyMicrosoftPackageVersion -Branch $Branch -MSBuildVersion "15"

src/GalleryTools/Commands/VerifyGitHubVulnerabilitiesCommand.cs

@@ -52,7 +52,6 @@
     <Compile Include="Commands\ReflowCommand.cs" />
     <Compile Include="Commands\UpdateIsLatestCommand.cs" />
     <Compile Include="Commands\VerifyApiKeyCommand.cs" />
-    <Compile Include="Commands\VerifyGitHubVulnerabilitiesCommand.cs" />
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="Properties\AssemblyInfo.*.cs" />

src/GalleryTools/GalleryTools.csproj

@@ -21,7 +21,6 @@ public static int Main(params string[] args)
             commandLineApplication.Command("filldevdeps", BackfillDevelopmentDependencyCommand.Configure);
             commandLineApplication.Command("verifyapikey", VerifyApiKeyCommand.Configure);
             commandLineApplication.Command("updateIsLatest", UpdateIsLatestCommand.Configure);
-            commandLineApplication.Command("verifyVulnerabilities", VerifyGitHubVulnerabilitiesCommand.Configure);
 
             try
             {

src/GalleryTools/Program.cs

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
+    </startup>
+</configuration>

src/VerifyGitHubVulnerabilities/App.config

@@ -0,0 +1,20 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace VerifyGitHubVulnerabilities.Configuration
+{
+    public class VerifyGitHubVulnerabilitiesConfiguration
+    {
+        /// <summary>
+        /// GitHub's v4 GraphQL API endpoint.
+        /// </summary>
+        public Uri GitHubGraphQLQueryEndpoint { get; set; } = new Uri("https://api.github.com/graphql");
+
+        /// <summary>
+        /// The personal access token to use to authenticate with GitHub.
+        /// </summary>
+        public string GitHubPersonalAccessToken { get; set; }
+    }
+}

src/VerifyGitHubVulnerabilities/Configuration/VerifyGitHubVulnerabilitiesConfiguration.cs

@@ -0,0 +1,70 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHubVulnerabilities2Db.GraphQL;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using VerifyGitHubVulnerabilities.Configuration;
+
+namespace VerifyGitHubVulnerabilities.GraphQL
+{
+    public class QueryService : IQueryService
+    {
+        /// <remarks>
+        /// GitHub requires that every request includes a UserAgent.
+        /// </remarks>
+        public const string UserAgent = "NuGet.Jobs.VerifyGitHubVulnerabilities";
+
+        private readonly VerifyGitHubVulnerabilitiesConfiguration _configuration;
+        private readonly HttpClient _client;
+
+        public QueryService(
+            VerifyGitHubVulnerabilitiesConfiguration configuration,
+            HttpClient client)
+        {
+            _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
+            _client = client ?? throw new ArgumentNullException(nameof(client));
+        }
+
+        public async Task<QueryResponse> QueryAsync(string query, CancellationToken token)
+        {
+            var queryJObject = new JObject
+            {
+                ["query"] = query
+            };
+
+            var response = await MakeWebRequestAsync(queryJObject.ToString(), token);
+            return JsonConvert.DeserializeObject<QueryResponse>(response);
+        }
+
+        private async Task<string> MakeWebRequestAsync(string query, CancellationToken token)
+        {
+            using (var request = CreateRequest(query))
+            using (var response = await _client.SendAsync(request, token))
+            {
+                return await response.Content.ReadAsStringAsync();
+            }
+        }
+
+        private HttpRequestMessage CreateRequest(string query)
+        {
+            var message = new HttpRequestMessage
+            {
+                Method = HttpMethod.Post,
+                RequestUri = _configuration.GitHubGraphQLQueryEndpoint,
+                Content = new StringContent(query, Encoding.UTF8, "application/json")
+            };
+
+            message.Headers.Authorization = new AuthenticationHeaderValue(
+                "Bearer", _configuration.GitHubPersonalAccessToken);
+            message.Headers.UserAgent.TryParseAdd(UserAgent);
+            return message;
+        }
+    }
+}