Temp keys user policies

[chenriksson]

Adding support for user security policies, including policies for use of temp keys and min client version

Onboarding and auditing will be separate PRs

[skofman1]

consider merging SecurityPolicy attribute with ApiAuthorize attribute.

[skofman1]

Any reason for ISecurityPolicyService not to be a single instance (SingleInstance())?

[joelverhagen]

I think we should prefer InstancePerLifetimeScope over SuntingleInstance until we have a caching/perf/behavior requirement for it. It's easier for unintended interaction between requests to occur with SingleInstance

---

In reply to: 113238685 [](ancestors = 113238685)

[skofman1]

consider making this a static

[skofman1]

// Copyright (c) .NET Foundation. All rights reserved.

null checks

---

Refers to: src/NuGetGallery/Security/UserSecurityPolicyContext.cs:1 in d018112. [](commit_id = d018112, deletion_comment = False)

[cristinamanum]

Is not this duplication of the line 123.

[chenriksson]

Removed

[skofman1]

Looks great! 👍

[cristinamanum]

Can be nulls among these values? In this case will the Max throw?

[chenriksson]

Shouldn't be null, but added logic to guard against it

[cristinamanum]

Do we want to log in AI the null case? The Evaluate below will return a non success result, the user scenario may be impacted in this case.

[chenriksson]

Instead of logging in individual handlers, I'm planning to add telemetry and auditing to the SecurityPolicyService in a separate PR. AI can log any policy failures and include username, policy name and value.

[cristinamanum]

If that will be in a different PR is ok.

[cristinamanum]

Do we want to log in AI the fact that the clientVersion < minClientVersion?

[joelverhagen]

Version [](start = 19, length = 7)

should be a NuGetVersion, really

[joelverhagen]

private [](start = 34, length = 7)

can remove private set;
This is readonly right?

[joelverhagen]

private [](start = 35, length = 7)

can remove private set; as this is readonly

[joelverhagen]

Required [](start = 9, length = 8)

Can' this [Required] attribute be defined in EntitiesContext instead? Seems like you are requiring User.

[chenriksson]

HasRequired in EntitiesContext is for a required relationship. I added Required here since it's the only non-nullable column that isn't a PK/FK. Not sure how this actually gets used, but we don't seem to be consistent with [Required] usage.

[joelverhagen]

ISecurityPolicyService [](start = 15, length = 22)

why public?

[joelverhagen]

EvaluateReturnsFailureIfClientVersionLower [](start = 20, length = 42)

client version is a NuGetVersion not a Version so we should test a couple NuGetVersion variants as well

• 4.1.0-beta1

[joelverhagen]

🕐

[joelverhagen]

Name [](start = 22, length = 4)

I think type name is an implementation detail. We should have a hard coded constant for this (either an int which is consistent with the rest of the DB or const string).

[chenriksson]

Policy handler names are now constants. I left as strings which I think will be easier to read when querying the DB. This PR only reads policies, but the next PR (onboarding) will start writing them.

[joelverhagen]

RequirePackageVerifyScopePolicy [](start = 26, length = 31)

Please use a const string or const int for this. nameof is easy to change with refactoring tools

[joelverhagen]

I see you have unit tests for this so we aren't blind to the change, but I think we should be a bit more explicit about this string. It could even be a public const string property on this class.

---

In reply to: 113264288 [](ancestors = 113264288)

[joelverhagen]

SecurityPolicyResult [](start = 15, length = 20)

seems like success = true and errorMessage != null is an invalid state, right? I like making the ctor private in this case and having a CreateErrorResult(string errorMessage) method.

[joelverhagen]

nit: remove extra line

[joelverhagen]

SecurityPolicyAction [](start = 60, length = 20)

Maybe I am missing it but where are we asserting that RequirePackageVerifyScopePolicy has action PackageVerify and not something else?

[joelverhagen]

Functional test(s)?

[chenriksson]

@joelverhagen I need to create onboarded test account for the functional test. Am thinking of doing onboarding in next PR, then auditing/telemetry, then functional test.

[joelverhagen]

Please make sure the deployment task mentions running EF migrations.

[loic-sharma]

This will throw if the ApiAuthorizeAttribute is used on a controller that doesn't extend AppController, right? I would recommend that you add documentation that this attribute must be used on controllers that extend AppController. Also, maybe throw an exception if the controller isn't an AppController to make this easier to debug if this issue ever comes up?
*

[loic-sharma]

Any particular reason for the policyStates variable? You could merge the two statements into one and return its result directly.

[loic-sharma]

string.IsNullOrEmpty seems a little too strong. Would a null check be better here?