Add restricted API for soft deleting packages (#8290)

Address NuGet/Engineering#3512

Author: joelverhagen

src/NuGetGallery.Services/Configuration/FeatureFlagService.cs

@@ -40,6 +40,7 @@ public class FeatureFlagService : IFeatureFlagService
         private const string PackageRenamesFeatureName = GalleryPrefix + "PackageRenames";
         private const string EmbeddedReadmeFlightName = GalleryPrefix + "EmbeddedReadmes";
         private const string LicenseMdRenderingFlightName = GalleryPrefix + "LicenseMdRendering";
+        private const string DeletePackageApiFlightName = GalleryPrefix + "DeletePackageApi";
 
         private const string ODataV1GetAllNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllNonHijacked";
         private const string ODataV1GetAllCountNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllCountNonHijacked";
@@ -284,5 +285,10 @@ public bool IsODataV2SearchCountNonHijackedEnabled()
         {
             return _client.IsEnabled(ODataV2SearchCountNonHijackedFeatureName, defaultValue: true);
         }
+
+        public bool IsDeletePackageApiEnabled(User user)
+        {
+            return _client.IsEnabled(DeletePackageApiFlightName, user, defaultValue: false);
+        }
     }
 }

src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs

@@ -225,5 +225,10 @@ public interface IFeatureFlagService
         /// Whether the /Search()/$count endpoint is enabled for non-hijacked queries for the V2 OData API.
         /// </summary>
         bool IsODataV2SearchCountNonHijackedEnabled();
+
+        /// <summary>
+        /// Whether or not the user can delete a package through the API.
+        /// </summary>
+        bool IsDeletePackageApiEnabled(User user);
     }
 }

src/NuGetGallery/App_Data/Files/Content/flags.json

@@ -72,6 +72,12 @@
       "SiteAdmins": false,
       "Accounts": [],
       "Domains": []
+    },
+    "NuGetGallery.DeletePackageApi": {
+      "All": false,
+      "SiteAdmins": false,
+      "Accounts": [],
+      "Domains": []
     }
   }
 }

src/NuGetGallery/Controllers/ApiController.cs

@@ -25,6 +25,7 @@
 using NuGetGallery.Authentication;
 using NuGetGallery.Configuration;
 using NuGetGallery.Filters;
+using NuGetGallery.Helpers;
 using NuGetGallery.Infrastructure.Authentication;
 using NuGetGallery.Infrastructure.Mail.Messages;
 using NuGetGallery.Packaging;
@@ -37,6 +38,7 @@ public partial class ApiController
         : AppController
     {
         private const string NuGetExeUrl = "https://dist.nuget.org/win-x86-commandline/v2.8.6/nuget.exe";
+        private const string PackageDeleteApiReason = "Deleted via API";
         private readonly IAutocompletePackageIdsQuery _autocompletePackageIdsQuery;
         private readonly IAutocompletePackageVersionsQuery _autocompletePackageVersionsQuery;
 
@@ -861,7 +863,7 @@ private static ActionResult BadRequestForExceptionMessage(Exception ex)
         [ApiAuthorize]
         [ApiScopeRequired(NuGetScopes.PackageUnlist)]
         [ActionName("DeletePackageApi")]
-        public virtual async Task<ActionResult> DeletePackage(string id, string version)
+        public virtual async Task<ActionResult> DeletePackage(string id, string version, DeletePackageApiRequest request = null)
         {
             var package = PackageService.FindPackageByIdAndVersionStrict(id, version);
             if (package == null)
@@ -870,7 +872,8 @@ public virtual async Task<ActionResult> DeletePackage(string id, string version)
                     HttpStatusCode.NotFound, string.Format(CultureInfo.CurrentCulture, Strings.PackageWithIdAndVersionNotFound, id, version));
             }
 
-            // Check if the current user's scopes allow listing/unlisting the current package ID
+            // Check if the current user's scopes allow listing/unlisting the current package ID. This scope is used for
+            // both unlisting and soft deletion.
             var apiScopeEvaluationResult = EvaluateApiScope(ActionsRequiringPermissions.UnlistOrRelistPackage, package.PackageRegistration, NuGetScopes.PackageUnlist);
             if (!apiScopeEvaluationResult.IsSuccessful())
             {
@@ -884,7 +887,55 @@ public virtual async Task<ActionResult> DeletePackage(string id, string version)
                     string.Format(CultureInfo.CurrentCulture, Strings.PackageIsLocked, package.PackageRegistration.Id));
             }
 
-            await PackageUpdateService.MarkPackageUnlistedAsync(package);
+            var currentUser = GetCurrentUser();
+            DeletePackageAction action;
+            if (request?.Type == null)
+            {
+                action = DeletePackageAction.Unlist;
+            }
+            else if (!request.TryParseAction(out action))
+            {
+                return new HttpStatusCodeWithBodyResult(HttpStatusCode.BadRequest, Strings.DeletePackage_InvalidDeleteType);
+            }
+
+            switch (action)
+            {
+                case DeletePackageAction.Unlist:
+                    await PackageUpdateService.MarkPackageUnlistedAsync(package);
+                    break;
+
+                case DeletePackageAction.SoftDelete:
+                    // A user can only delete packages if there are enabled in the flight and are NOT an admin. The
+                    // admin restriction is for safety reasons. This endpoint is currently intended just for test data
+                    // clean-up which can be done with a very limited, non-admin API key.
+                    if (!FeatureFlagService.IsDeletePackageApiEnabled(currentUser)
+                        || currentUser.IsAdministrator)
+                    {
+                        return new HttpStatusCodeWithBodyResult(HttpStatusCode.Forbidden, Strings.DeletePackage_NotAllowed);
+                    }
+
+                    // Apply a hard stop on the deletion if there are too many downloads on this package version. We
+                    // using configuration here and use a constant to mimize the risk of misconfiguration allowing too
+                    // many deletes.
+                    const int downloadCountLimit = 1000;
+                    if (package.DownloadCount >= downloadCountLimit)
+                    {
+                        return new HttpStatusCodeWithBodyResult(
+                            HttpStatusCode.Forbidden,
+                            string.Format(CultureInfo.CurrentCulture, Strings.DeletePackage_TooManyDownloads, downloadCountLimit));
+                    }
+
+                    await PackageDeleteService.SoftDeletePackagesAsync(
+                        new[] { package },
+                        currentUser,
+                        PackageDeleteApiReason,
+                        Strings.AutomatedPackageDeleteSignature);
+                    break;
+
+                default:
+                    throw new NotSupportedException($"The delete package action '{action}' is not supported.");
+            }
+            
             return new EmptyResult();
         }
 

src/NuGetGallery/NuGetGallery.csproj

@@ -303,6 +303,7 @@
       <DependentUpon>202007220027197_AddEmbeddedReadmeTypeColumn.cs</DependentUpon>
     </Compile>
     <Compile Include="Modules\CookieComplianceHttpModule.cs" />
+    <Compile Include="RequestModels\DeletePackagesApiRequest.cs" />
     <Compile Include="Services\IMarkdownService.cs" />
     <Compile Include="Services\IPackageMetadataValidationService.cs" />
     <Compile Include="Services\MarkdownService.cs" />

src/NuGetGallery/RequestModels/DeletePackagesApiRequest.cs

@@ -0,0 +1,36 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace NuGetGallery
+{
+    public enum DeletePackageAction
+    {
+        Unlist,
+        SoftDelete,
+    }
+
+    public class DeletePackageApiRequest
+    {
+        /// <summary>
+        /// We have a clunky string to enum mapping here because the default behavior of ASP.NET MVC model binding
+        /// is not configurable enough for our purposes. If the model property type is an enum, an invalid incoming
+        /// request value is set to be the default enum value, rather than rejecting this request. This behavior is too
+        /// permissive.
+        /// </summary>
+        private static readonly IReadOnlyDictionary<string, DeletePackageAction> Actions = Enum
+            .GetValues(typeof(DeletePackageAction))
+            .Cast<DeletePackageAction>()
+            .ToDictionary(x => x.ToString(), x => x, StringComparer.OrdinalIgnoreCase);
+
+        public bool TryParseAction(out DeletePackageAction action)
+        {
+            return DeletePackageApiRequest.Actions.TryGetValue(Type, out action);
+        }
+
+        public string Type { get; set; }
+    }
+}

src/NuGetGallery/Strings.Designer.cs

@@ -1199,4 +1199,14 @@ The {1} Team</value>
   <data name="UploadPackage_LearnMore_LicenseUrlDreprecation" xml:space="preserve">
     <value>Learn more about license URL deprecation</value>
   </data>
+  <data name="DeletePackage_NotAllowed" xml:space="preserve">
+    <value>Deleting a package through the API is not enabled for your user account.</value>
+  </data>
+  <data name="DeletePackage_InvalidDeleteType" xml:space="preserve">
+    <value>The provided Type in the delete request is not valid.</value>
+  </data>
+  <data name="DeletePackage_TooManyDownloads" xml:space="preserve">
+    <value>The provided package has more than {0} downloads and therefore cannot be deleted via API.</value>
+    <comment>{0} is the download count limit.</comment>
+  </data>
 </root>