Skip to content

Commit

Permalink
AAD account checks on packages for safety reports (#9360)
Browse files Browse the repository at this point in the history
  • Loading branch information
@drewgillies
drewgillies authored Feb 6, 2023
1 parent 9602e0a commit 3f692c3
Show file tree
Hide file tree
Showing 8 changed files with 385 additions and 7 deletions.
5 changes: 5 additions & 0 deletions src/AccountDeleter/EmptyFeatureFlagService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()
throw new NotImplementedException();
}

public bool IsAllowAadContentSafetyReportsEnabled()
{
throw new NotImplementedException();
}

public bool IsTyposquattingEnabled()
{
throw new NotImplementedException();
Expand Down
5 changes: 5 additions & 0 deletions src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()
throw new NotImplementedException();
}

public bool IsAllowAadContentSafetyReportsEnabled()
{
throw new NotImplementedException();
}

public bool IsPackageDependentsEnabled(User user)
{
throw new NotImplementedException();
Expand Down
1 change: 1 addition & 0 deletions src/NuGetGallery.Core/CredentialTypes.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ public static bool IsApiKey(string type)
{
return type?.StartsWith(ApiKey.Prefix, StringComparison.OrdinalIgnoreCase) ?? false;
}

public static bool IsMicrosoftAccount(string type)
{
return type?.Equals(External.MicrosoftAccount, StringComparison.OrdinalIgnoreCase) ?? false;
Expand Down
6 changes: 6 additions & 0 deletions src/NuGetGallery.Services/Configuration/FeatureFlagService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ public class FeatureFlagService : IFeatureFlagService
private const string ImageAllowlistFlightName = GalleryPrefix + "ImageAllowlist";
private const string DisplayBannerFlightName = GalleryPrefix + "Banner";
private const string ShowReportAbuseSafetyChanges = GalleryPrefix + "ShowReportAbuseSafetyChanges";
private const string AllowAadContentSafetyReports = GalleryPrefix + "AllowAadContentSafetyReports";
private const string DisplayTargetFrameworkFeatureName = GalleryPrefix + "DisplayTargetFramework";
private const string ComputeTargetFrameworkFeatureName = GalleryPrefix + "ComputeTargetFramework";
private const string RecentPackagesNoIndexFeatureName = GalleryPrefix + "RecentPackagesNoIndex";
Expand Down Expand Up @@ -333,6 +334,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()
return _client.IsEnabled(ShowReportAbuseSafetyChanges, defaultValue: false);
}

public bool IsAllowAadContentSafetyReportsEnabled()
{
return _client.IsEnabled(AllowAadContentSafetyReports, defaultValue: false);
}

public bool IsMarkdigMdRenderingEnabled()
{
return _client.IsEnabled(MarkdigMdRenderingFlightName, defaultValue: false);
Expand Down
5 changes: 5 additions & 0 deletions src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,11 @@ public interface IFeatureFlagService
/// </summary>
bool IsShowReportAbuseSafetyChangesEnabled();

/// <summary>
/// Whether online safety categories are available to content owned by at least one AAD-authenticated account
/// </summary>
bool IsAllowAadContentSafetyReportsEnabled();

/// <summary>
/// Whether rendering Markdown content to HTML using Markdig is enabled
/// </summary>
Expand Down
33 changes: 33 additions & 0 deletions src/NuGetGallery/Controllers/PackagesController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1385,6 +1385,7 @@ public virtual ActionResult ReportAbuse(string id, string version)
var model = new ReportAbuseViewModel
{
ReasonChoices = _featureFlagService.IsShowReportAbuseSafetyChangesEnabled()
&& (_featureFlagService.IsAllowAadContentSafetyReportsEnabled() || PackageHasNoAadOwners(package))
? ReportAbuseWithSafetyReasons
: ReportAbuseReasons,
PackageId = id,
Expand Down Expand Up @@ -2857,6 +2858,38 @@ await _auditingService.SaveAuditRecordAsync(
}
}

private static bool PackageHasNoAadOwners(Package package)
{
var owners = package?.PackageRegistration?.Owners;
if (owners == null || !owners.Any()) {
return true;
}

// First check direct owner credentials
if (owners.Any(o => o.Credentials.GetAzureActiveDirectoryCredential() != null))
{
return false;
}

// Check all members of organization owners
var orgOwners = owners.Where(o => o is Organization).Select(o => o as Organization);
foreach (var orgOwner in orgOwners)
{
if (orgOwner.Members == null)
{
continue;
}

if (orgOwner.Members.Any(m => m.Member?.Credentials != null &&
m.Member.Credentials.GetAzureActiveDirectoryCredential() != null))
{
return false;
}
}

return true;
}

private async Task DeleteUploadedFileForUser(User currentUser, Stream uploadedFileStream)
{
try
Expand Down
2 changes: 2 additions & 0 deletions src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,8 @@ public class FakeFeatureFlagService : IFeatureFlagService

public bool IsShowReportAbuseSafetyChangesEnabled() => throw new NotImplementedException();

public bool IsAllowAadContentSafetyReportsEnabled() => throw new NotImplementedException();

public bool IsMarkdigMdRenderingEnabled() => throw new NotImplementedException();

public bool IsMarkdigMdSyntaxHighlightEnabled() => throw new NotImplementedException();
Expand Down
Loading

0 comments on commit 3f692c3

Please sign in to comment.