Integrate Microsoft.Owin.Security

NuGetGallery.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 2013
-VisualStudioVersion = 12.0.20827.3
+VisualStudioVersion = 12.0.21005.1
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = ".nuget", ".nuget", "{96E4AFF8-D3A1-4102-ADCF-05F186F916A9}"
 	ProjectSection(SolutionItems) = preProject
@@ -36,10 +36,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.FunctionalTest
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.FunctionalTests.Helpers", "tests\NuGetGallery.FunctionalTests.Helpers\NuGetGallery.FunctionalTests.Helpers.csproj", "{8FB56455-C688-44AE-95F1-48FFCB199BFE}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.Monitoring", "src\NuGetGallery.Monitoring\NuGetGallery.Monitoring.csproj", "{DFF0089E-4918-4A12-992B-B9DD2C070B0F}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.Monitoring.Azure", "src\NuGetGallery.Monitoring.Azure\NuGetGallery.Monitoring.Azure.csproj", "{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}"
-EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x64 = Debug|x64
@@ -136,42 +132,6 @@ Global
 		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x64.Build.0 = Release|Any CPU
 		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x86.ActiveCfg = Release|Any CPU
 		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x86.Build.0 = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x64.Build.0 = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x86.Build.0 = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x64.ActiveCfg = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x64.Build.0 = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x86.ActiveCfg = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x86.Build.0 = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x64.Build.0 = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x86.Build.0 = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x64.ActiveCfg = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x64.Build.0 = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x86.ActiveCfg = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x86.Build.0 = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Any CPU.Build.0 = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Mixed Platforms.Build.0 = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|x86.ActiveCfg = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Any CPU.Build.0 = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Mixed Platforms.Build.0 = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x86.ActiveCfg = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -184,7 +144,5 @@ Global
 		{4405C24C-7F57-4826-831F-D5D7E139F02E} = {B9B19787-DCC0-489E-9173-36A32C6B6848}
 		{DBECF66B-8F2F-4B32-9143-E243BAFF12DF} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
 		{F240D1BC-BBFB-4F22-9DF8-3FDE36BFD665} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
 	EndGlobalSection
 EndGlobal

build/Enable-LocalTestMe.ps1

@@ -1,31 +1,90 @@
-param([switch]$Force, [string]$Subdomain="nuget")
+param([string]$Subdomain="nuget", [string]$SiteName = "NuGet Gallery", [string]$SitePhysicalPath, [string]$MakeCertPath, [string]$AppCmdPath)
 
 if(!(([Security.Principal.WindowsPrincipal]([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator"))) {
     throw "This script must be run as an admin."
 }
 
-$WebSite = Resolve-Path (Join-Path (Split-Path -Parent $MyInvocation.MyCommand.Path) "..\Website")
+if(!$SitePhysicalPath) {
+    $ScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path;
+    $SitePhysicalPath = Join-Path $ScriptRoot "..\src\NuGetGallery"
+}
+if(!(Test-Path $SitePhysicalPath)) {
+    throw "Could not find site at $SitePhysicalPath. Use -SitePhysicalPath argument to specify the path."
+}
+$SitePhysicalPath = Convert-Path $SitePhysicalPath
 
-# Enable access to the necessary URLs
-netsh http add urlacl url=http://nuget.localtest.me:80/ user=Everyone
-netsh http add urlacl url=https://nuget.localtest.me:443/ user=Everyone
+# Find Windows SDK
+if(!$MakeCertPath) {
+    $SDKVersion = dir 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows' | 
+        where { $_.PSChildName -match "v(?<ver>\d+\.\d+)" } | 
+        foreach { New-Object System.Version $($matches["ver"]) } |
+        sort -desc |
+        select -first 1
+    if(!$SDKVersion) {
+        throw "Could not find Windows SDK. Please install the Windows SDK before running this script, or use -MakeCertPath to specify the path to makecert.exe"
+    }
+    $SDKRegKey = (Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v$SDKVersion")
+    $WinSDKDir = $SDKRegKey.InstallationFolder
+    $xArch = "x86"
+    if($env:PROCESSOR_ARCHITECTURE -eq "AMD64") {
+        $xArch = "x64"
+    }
+    $MakeCertPath = Join-Path $WinSDKDir "bin\$xArch\makecert.exe"
+}
 
-$IISExpressDir = "$env:ProgramFiles\IIS Express"
-if(!(Test-Path $IISExpressDir)) {
-    throw "Can't find IIS Express in $IISExpressDir"
+if(!(Test-Path $MakeCertPath)) {
+    throw "Could not find makecert.exe in $MakeCertPath!"
 }
-$AppCmd = "$IISExpressDir\appcmd.exe"
 
-$sites = @(&$AppCmd list site "NuGet Gallery ($Subdomain.localtest.me)")
-if($sites.Length -gt 0) {
-    if($Force) {
-        &$AppCmd delete site "NuGet Gallery ($Subdomain.localtest.me)"
+# Find IIS Express
+if(!$AppCmdPath) {
+    $IISXVersion = dir 'HKLM:\Software\Microsoft\IISExpress' | 
+        foreach { New-Object System.Version ($_.PSChildName) } |
+        sort -desc |
+        select -first 1
+    if(!$IISXVersion) {
+        throw "Could not find IIS Express. Please install IIS Express before running this script, or use -AppCmdPath to specify the path to appcmd.exe for your IIS environment"
+    }
+    $IISRegKey = (Get-ItemProperty "HKLM:\Software\Microsoft\IISExpress\$IISXVersion")
+    $IISExpressDir = $IISRegKey.InstallPath
+    if(!(Test-Path $IISExpressDir)) {
+        throw "Can't find IIS Express in $IISExpressDir. Please install IIS Express"
+    }
+    $AppCmdPath = "$IISExpressDir\appcmd.exe"
+}
+
+if(!(Test-Path $AppCmdPath)) {
+    throw "Could not find appcmd.exe in $AppCmdPath!"
+}
+
+function Invoke-Netsh() {
+    $argStr = $([String]::Join(" ", $args))
+    Write-Verbose "netsh $argStr"
+    $result = netsh @args
+    $parsed = [Regex]::Match($result, ".*Error: (\d+).*")
+    if($parsed.Success) {
+        $err = $parsed.Groups[1].Value
+        if($err -ne "183") {
+            throw $result
+        }
     } else {
-       throw "You already have a site named `"NuGet Gallery ($Subdomain.localtest.me)`". Remove it manually or use -Force to have this command auto-remove it"
+        Write-Host $result
     }
 }
 
-&$AppCmd add site /name:"NuGet Gallery ($Subdomain.localtest.me)" /bindings:"http://$Subdomain.localtest.me:80,https://$Subdomain.localtest.me:443" /physicalPath:$WebSite
+# Enable access to the necessary URLs
+Invoke-Netsh http add urlacl "url=http://$Subdomain.localtest.me:80/" user=Everyone
+Invoke-Netsh http add urlacl "url=https://$Subdomain.localtest.me:443/" user=Everyone
+
+
+$SiteFullName = "$SiteName ($Subdomain.localtest.me)"
+$sites = @(&$AppCmdPath list site $SiteFullName)
+if($sites.Length -gt 0) {
+    Write-Warning "Site '$SiteFullName' already exists. Deleting and recreating."
+    &$AppCmdPath delete site "$SiteFullName"
+}
+
+&$AppCmdPath add site /name:"$SiteFullName" /bindings:"http://$Subdomain.localtest.me:80,https://$Subdomain.localtest.me:443" /physicalPath:$SitePhysicalPath
 
 # Check for a cert
 $cert = @(dir -l "Cert:\CurrentUser\Root" | where {$_.Subject -eq "CN=$Subdomain.localtest.me"})
@@ -36,7 +95,7 @@ if($cert.Length -eq 0) {
 if($cert.Length -eq 0) {
     Write-Host "Generating a Self-Signed SSL Certificate for $Subdomain.localtest.me"
     # Generate one
-    & makecert -r -pe -n "CN=$Subdomain.localtest.me" -b `"$([DateTime]::Now.ToString("MM/dd/yyy"))`" -e `"$([DateTime]::Now.AddYears(10).ToString("MM/dd/yyy"))`" -eku 1.3.6.1.5.5.7.3.1 -ss root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
+    & $MakeCertPath -r -pe -n "CN=$Subdomain.localtest.me" -b `"$([DateTime]::Now.ToString("MM/dd/yyy"))`" -e `"$([DateTime]::Now.AddYears(10).ToString("MM/dd/yyy"))`" -eku 1.3.6.1.5.5.7.3.1 -ss root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
     $cert = @(dir -l "Cert:\LocalMachine\Root" | where {$_.Subject -eq "CN=$Subdomain.localtest.me"})
 }
 
@@ -47,7 +106,6 @@ if($cert.Length -eq 0) {
 Write-Host "Using SSL Certificate: $($cert.Thumbprint)"
 
 # Set the Certificate
-netsh http add sslcert hostnameport="$Subdomain.localtest.me:443" certhash="$($cert.Thumbprint)" certstorename=Root appid="{$([Guid]::NewGuid().ToString())}"
+Invoke-Netsh http add sslcert hostnameport="$Subdomain.localtest.me:443" certhash="$($cert.Thumbprint)" certstorename=Root appid="{$([Guid]::NewGuid().ToString())}"
 
-Write-Host "Ready! All you have to do now is go to your Website project properties and set 'http://$Subdomain.localtest.me' as your Project URL"
-Write-Host "To use SSL, set the IISExpressSSLPort MSBuild property in your Website.csproj.user to 443"
+Write-Host "Ready! All you have to do now is go to your website project properties and set 'http://$Subdomain.localtest.me' as your Project URL!"

src/NuGetGallery.Core/Entities/EntitiesContext.cs

@@ -30,6 +30,7 @@ public EntitiesContext()
         public IDbSet<CuratedFeed> CuratedFeeds { get; set; }
         public IDbSet<CuratedPackage> CuratedPackages { get; set; }
         public IDbSet<PackageRegistration> PackageRegistrations { get; set; }
+        public IDbSet<Credential> Credentials { get; set; }
         public IDbSet<User> Users { get; set; }
 
         IDbSet<T> IEntitiesContext.Set<T>()

src/NuGetGallery.Core/Entities/IEntitiesContext.cs

@@ -7,6 +7,7 @@ public interface IEntitiesContext
         IDbSet<CuratedFeed> CuratedFeeds { get; set; }
         IDbSet<CuratedPackage> CuratedPackages { get; set; }
         IDbSet<PackageRegistration> PackageRegistrations { get; set; }
+        IDbSet<Credential> Credentials { get; set; }
         IDbSet<User> Users { get; set; }
         int SaveChanges();
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1716:IdentifiersShouldNotMatchKeywords", MessageId = "Set", Justification="This is to match the EF terminology.")]

src/NuGetGallery.Core/Entities/User.cs

@@ -13,6 +13,7 @@ public User() : this(null)
         public User(string username)
         {
             Credentials = new List<Credential>();
+            Roles = new List<Role>();
             Username = username;
         }
 

src/NuGetGallery/ApiController.generated.cs

@@ -89,25 +89,22 @@ public class ViewNames {
     public class T4MVC_ApiController: NuGetGallery.ApiController {
         public T4MVC_ApiController() : base(Dummy.Instance) { }
 
-        public override System.Web.Mvc.ActionResult VerifyPackageKey(string apiKey, string id, string version) {
+        public override System.Web.Mvc.ActionResult VerifyPackageKey(string id, string version) {
             var callInfo = new T4MVC_ActionResult(Area, Name, ActionNames.VerifyPackageKey);
-            callInfo.RouteValueDictionary.Add("apiKey", apiKey);
             callInfo.RouteValueDictionary.Add("id", id);
             callInfo.RouteValueDictionary.Add("version", version);
             return callInfo;
         }
 
-        public override System.Web.Mvc.ActionResult DeletePackage(string apiKey, string id, string version) {
+        public override System.Web.Mvc.ActionResult DeletePackage(string id, string version) {
             var callInfo = new T4MVC_ActionResult(Area, Name, ActionNames.DeletePackage);
-            callInfo.RouteValueDictionary.Add("apiKey", apiKey);
             callInfo.RouteValueDictionary.Add("id", id);
             callInfo.RouteValueDictionary.Add("version", version);
             return callInfo;
         }
 
-        public override System.Web.Mvc.ActionResult PublishPackage(string apiKey, string id, string version) {
+        public override System.Web.Mvc.ActionResult PublishPackage(string id, string version) {
             var callInfo = new T4MVC_ActionResult(Area, Name, ActionNames.PublishPackage);
-            callInfo.RouteValueDictionary.Add("apiKey", apiKey);
             callInfo.RouteValueDictionary.Add("id", id);
             callInfo.RouteValueDictionary.Add("version", version);
             return callInfo;

src/NuGetGallery/App_Start/AppActivator.cs

@@ -1,5 +1,7 @@
 using System;
 using System.Data.Entity;
+using System.Security.Claims;
+using System.Web.Helpers;
 using System.Web.Mvc;
 using System.Web.Optimization;
 using System.Web.Routing;
@@ -30,6 +32,8 @@ public static class AppActivator
 
         public static void PreStart()
         {
+            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
+
             NinjectPreStart();
             ElmahPreStart();
             GlimpsePreStart();
@@ -101,7 +105,6 @@ private static void AppPostStart()
             GlobalFilters.Filters.Add(new ElmahHandleErrorAttribute());
             GlobalFilters.Filters.Add(new ReadOnlyModeErrorFilter());
             GlobalFilters.Filters.Add(new AntiForgeryErrorFilter());
-            GlobalFilters.Filters.Add(new RequireRemoteHttpsAttribute() { OnlyWhenAuthenticated = true });
             ValueProviderFactories.Factories.Add(new HttpHeaderValueProviderFactory());
         }
 

src/NuGetGallery/App_Start/ContainerBindings.cs

@@ -222,6 +222,12 @@ private void ConfigureForLocalFileSystem()
             Bind<IFileStorageService>()
                 .To<FileSystemFileStorageService>()
                 .InSingletonScope();
+
+            // Ninject is doing some weird things with constructor selection without these.
+            // Anyone requesting an IReportService or IStatisticsService should be prepared
+            // to receive null anyway.
+            Bind<IReportService>().ToConstant(NullReportService.Instance);
+            Bind<IStatisticsService>().ToConstant(NullStatisticsService.Instance);
         }
 
         private void ConfigureForAzureStorage(ConfigurationService configuration)

src/NuGetGallery/App_Start/OwinStartup.cs

@@ -0,0 +1,50 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using Owin;
+using Ninject;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Extensions;
+using Microsoft.Owin.Diagnostics;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Cookies;
+using NuGetGallery.Authentication;
+using NuGetGallery.Configuration;
+
+[assembly: OwinStartup(typeof(NuGetGallery.OwinStartup))]
+
+namespace NuGetGallery
+{
+    public class OwinStartup
+    {
+        // This method is auto-detected by the OWIN pipeline. DO NOT RENAME IT!
+        public static void Configuration(IAppBuilder app)
+        {
+            // Get config
+            var config = Container.Kernel.Get<ConfigurationService>();
+            var cookieSecurity = config.Current.RequireSSL ? CookieSecureOption.Always : CookieSecureOption.Never;
+
+            // Configure logging
+            app.SetLoggerFactory(new DiagnosticsLoggerFactory());
+
+            if (config.Current.RequireSSL)
+            {
+                // Put a middleware at the top of the stack to force the user over to SSL
+                // if authenticated.
+                app.UseForceSslWhenAuthenticated(config.Current.SSLPort);
+            }
+
+            app.UseCookieAuthentication(new CookieAuthenticationOptions()
+            {
+                AuthenticationType = AuthenticationTypes.Password,
+                AuthenticationMode = AuthenticationMode.Active,
+                CookieHttpOnly = true,
+                CookieSecure = cookieSecurity,
+                LoginPath = "/users/account/LogOn"
+            });
+            app.UseApiKeyAuthentication();
+        }
+    }
+}