Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OIDC 12] Add admin panel for federated credential policies #10290

Merged
merged 15 commits into from
Dec 10, 2024
Merged

[OIDC 12] Add admin panel for federated credential policies #10290

merged 15 commits into from
Dec 10, 2024

Conversation

joelverhagen
Copy link
Member

Progress on #10212.
Depends on #10289.

This PR adds a new admin panel for our team to manage federated credential policies on behalf of other users. We will use this to manual onboard users to the OIDC feature.

The new option on the admin panel index looks like this:
image

The admin panel looks like this:
image

You can add a federated credential policy for a user here:
image

Search results look like this:
image

There is a "terminology" section at the bottom as a reference for the feature.

Terminology

Federated credential
A credential from an external system can be traded for a short-lived API key. When a federated credential is used, it is tracked in the database to avoid credential replay (reuse). An example federated credential would be an OpenID Connect (OIDC) token from a trusted external identity provider, such as Entra ID.

Federated credential policy
A set of criteria to determine whether a given federated credential is acceptable to be used to operate on behalf of a specific user. This can be considered a trust policy of an external identity provided, expressed by a user of NuGet Gallery.

Policy user
This is the user account that manages the federated credential policy. This will be the user that the generated short-lived API keys will be owned by.

Policy package owner
This is the user or organization account that the API key will act on behalf of. This is different from the policy user because the package owner can be an organization. The policy package owner will become the owner scope on the short-lived API key created from the policy.

Policy type
This is the type of federated credential that is accepted by the policy. The policy type determines how the policy criteria are interpreted. An example policy type would be an Entra ID service principal policy, which would accept Entra ID OIDC bearer tokens containing a specific tenant ID and object ID referring to a service principal.

Policy criteria
These are criteria specific to a certain policy type and specified by the user. An example of some policy criteria would be a tenant ID and object ID pair for an Entra ID service principal.

@joelverhagen
Associate policy with API key, add DB migration
c5042ef 
SQL:

CREATE TABLE [dbo].[FederatedCredentialPolicies] (
    [Key] [int] NOT NULL IDENTITY,
    [Created] [datetime2](7) NOT NULL,
    [LastMatched] [datetime2](7),
    [TypeKey] [int] NOT NULL,
    [Criteria] [nvarchar](max) NOT NULL,
    [CreatedByUserKey] [int] NOT NULL,
    [PackageOwnerUserKey] [int] NOT NULL,
    CONSTRAINT [PK_dbo.FederatedCredentialPolicies] PRIMARY KEY ([Key])
)
CREATE INDEX [IX_CreatedByUserKey] ON [dbo].[FederatedCredentialPolicies]([CreatedByUserKey])
CREATE INDEX [IX_PackageOwnerUserKey] ON [dbo].[FederatedCredentialPolicies]([PackageOwnerUserKey])
CREATE TABLE [dbo].[FederatedCredentials] (
    [Key] [int] NOT NULL IDENTITY,
    [TypeKey] [int] NOT NULL,
    [FederatedCredentialPolicyKey] [int] NOT NULL,
    [Identity] [nvarchar](64),
    [Created] [datetime2](7) NOT NULL,
    [Expires] [datetime2](7),
    CONSTRAINT [PK_dbo.FederatedCredentials] PRIMARY KEY ([Key])
)
CREATE INDEX [IX_FederatedCredentialPolicyKey] ON [dbo].[FederatedCredentials]([FederatedCredentialPolicyKey])
CREATE UNIQUE INDEX [IX_Identity] ON [dbo].[FederatedCredentials]([Identity])
ALTER TABLE [dbo].[Credentials] ADD [FederatedCredentialPolicyKey] [int]
CREATE INDEX [IX_FederatedCredentialPolicyKey] ON [dbo].[Credentials]([FederatedCredentialPolicyKey])
ALTER TABLE [dbo].[Credentials] ADD CONSTRAINT [FK_dbo.Credentials_dbo.FederatedCredentialPolicies_FederatedCredentialPolicyKey] FOREIGN KEY ([FederatedCredentialPolicyKey]) REFERENCES [dbo].[FederatedCredentialPolicies] ([Key])
ALTER TABLE [dbo].[FederatedCredentialPolicies] ADD CONSTRAINT [FK_dbo.FederatedCredentialPolicies_dbo.Users_CreatedByUserKey] FOREIGN KEY ([CreatedByUserKey]) REFERENCES [dbo].[Users] ([Key])
ALTER TABLE [dbo].[FederatedCredentialPolicies] ADD CONSTRAINT [FK_dbo.FederatedCredentialPolicies_dbo.Users_PackageOwnerUserKey] FOREIGN KEY ([PackageOwnerUserKey]) REFERENCES [dbo].[Users] ([Key])
@joelverhagen
Evaluate federated credential and generate API key
d2b97aa
@joelverhagen
Add allow list for Entra ID tenants acceptable for federation
18ad0ad
@joelverhagen
Add method to create an Entra ID SP trust policy
33b2cd6
@joelverhagen
Add method to delete policy and associated API keys
d35bf78
@joelverhagen
Add admin panel for federated credential policies
08c6ad1
@joelverhagen joelverhagen requested a review from a team as a code owner November 27, 2024 18:02
@joelverhagen joelverhagen changed the title Add admin panel for federated credential policies [OIDC 12] Add admin panel for federated credential policies Nov 27, 2024
@joelverhagen joelverhagen mentioned this pull request Nov 27, 2024
Merged
agr
agr previously approved these changes Dec 3, 2024
View reviewed changes
drewgillies
drewgillies previously approved these changes Dec 5, 2024
View reviewed changes
@joelverhagen
Merge branch 'jver-oidc-ship-3' into jver-oidc-ship-4
b5feb6f
@joelverhagen
Merge remote-tracking branch 'origin/dev' into jver-oidc-ship-4
7ba2931
@joelverhagen
Merge branch 'jver-oidc-ship-4' into jver-oidc-ship-5
f7b0e02
@joelverhagen
Merge remote-tracking branch 'origin/dev' into jver-oidc-ship-5
a5c64ac 
# Conflicts:
#	src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialService.cs
#	tests/NuGetGallery.Facts/Authentication/Federated/FederatedCredentialServiceFacts.cs
@joelverhagen
Merge branch 'jver-oidc-ship-5' into jver-oidc-ship-6
ed832bf
@joelverhagen
Merge remote-tracking branch 'origin/dev' into jver-oidc-ship-6
bc44ad8 
# Conflicts:
#	src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialRepository.cs
#	tests/NuGetGallery.Facts/Authentication/Federated/FederatedCredentialRepositoryFacts.cs
Base automatically changed from jver-oidc-ship-5 to dev December 9, 2024 20:08
@joelverhagen joelverhagen dismissed stale reviews from agr and drewgillies December 9, 2024 20:08

The base branch was changed.

@joelverhagen joelverhagen merged commit 8a07bc5 into dev Dec 10, 2024
2 checks passed
@joelverhagen joelverhagen deleted the jver-oidc-ship-6 branch December 10, 2024 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhhyu zhhyu zhhyu approved these changes

@drewgillies drewgillies drewgillies approved these changes

@agr agr agr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joelverhagen @agr @drewgillies @zhhyu