Ejemplo n.º 1
0
        public virtual async Task <JsonResult> Deprecate(
            DeprecatePackageRequest request)
        {
            var status = PackageDeprecationStatus.NotDeprecated;

            if (request.IsLegacy)
            {
                status |= PackageDeprecationStatus.Legacy;
            }

            if (request.HasCriticalBugs)
            {
                status |= PackageDeprecationStatus.CriticalBugs;
            }

            var customMessage = request.CustomMessage;

            if (request.IsOther)
            {
                if (string.IsNullOrWhiteSpace(customMessage))
                {
                    return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_CustomMessageRequired));
                }

                status |= PackageDeprecationStatus.Other;
            }

            if (customMessage != null)
            {
                if (customMessage.Length > MaxCustomMessageLength)
                {
                    return(DeprecateErrorResponse(
                               HttpStatusCode.BadRequest,
                               string.Format(Strings.DeprecatePackage_CustomMessageTooLong, MaxCustomMessageLength)));
                }
            }

            if (request.Versions == null || !request.Versions.Any())
            {
                return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions));
            }

            var packages     = _packageService.FindPackagesById(request.Id, PackageDeprecationFieldsToInclude.DeprecationAndRelationships);
            var registration = packages.FirstOrDefault()?.PackageRegistration;

            if (registration == null)
            {
                // This should only happen if someone hacks the form or if the package is deleted while the user is filling out the form.
                return(DeprecateErrorResponse(
                           HttpStatusCode.NotFound,
                           string.Format(Strings.DeprecatePackage_MissingRegistration, request.Id)));
            }

            var currentUser = GetCurrentUser();

            if (!_featureFlagService.IsManageDeprecationEnabled(GetCurrentUser(), registration))
            {
                return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
            }

            if (ActionsRequiringPermissions.DeprecatePackage.CheckPermissionsOnBehalfOfAnyAccount(currentUser, registration) != PermissionsCheckResult.Allowed)
            {
                return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
            }

            if (registration.IsLocked)
            {
                return(DeprecateErrorResponse(
                           HttpStatusCode.Forbidden,
                           string.Format(Strings.DeprecatePackage_Locked, request.Id)));
            }

            PackageRegistration alternatePackageRegistration = null;
            Package             alternatePackage             = null;

            if (!string.IsNullOrWhiteSpace(request.AlternatePackageId))
            {
                if (!string.IsNullOrWhiteSpace(request.AlternatePackageVersion))
                {
                    alternatePackage = _packageService.FindPackageByIdAndVersionStrict(request.AlternatePackageId, request.AlternatePackageVersion);
                    if (alternatePackage == null)
                    {
                        return(DeprecateErrorResponse(
                                   HttpStatusCode.NotFound,
                                   string.Format(Strings.DeprecatePackage_NoAlternatePackage, request.AlternatePackageId, request.AlternatePackageVersion)));
                    }
                }
                else
                {
                    alternatePackageRegistration = _packageService.FindPackageRegistrationById(request.AlternatePackageId);
                    if (alternatePackageRegistration == null)
                    {
                        return(DeprecateErrorResponse(
                                   HttpStatusCode.NotFound,
                                   string.Format(Strings.DeprecatePackage_NoAlternatePackageRegistration, request.AlternatePackageId)));
                    }
                }
            }

            var packagesToUpdate = new List <Package>();

            foreach (var version in request.Versions)
            {
                var normalizedVersion = NuGetVersionFormatter.Normalize(version);
                var package           = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
                if (package == null)
                {
                    // This should only happen if someone hacks the form or if a version of the package is deleted while the user is filling out the form.
                    return(DeprecateErrorResponse(
                               HttpStatusCode.NotFound,
                               string.Format(Strings.DeprecatePackage_MissingVersion, request.Id)));
                }
                else
                {
                    packagesToUpdate.Add(package);
                }
            }

            if (alternatePackage != null && packagesToUpdate.Any(p => p == alternatePackage))
            {
                return(DeprecateErrorResponse(
                           HttpStatusCode.BadRequest,
                           Strings.DeprecatePackage_AlternateOfSelf));
            }

            await _deprecationService.UpdateDeprecation(
                packagesToUpdate,
                status,
                alternatePackageRegistration,
                alternatePackage,
                customMessage,
                currentUser);

            return(Json(HttpStatusCode.OK));
        }
Ejemplo n.º 2
0
        public virtual async Task <JsonResult> Deprecate(
            string id,
            IEnumerable <string> versions,
            bool isLegacy,
            bool hasCriticalBugs,
            bool isOther,
            string alternatePackageId,
            string alternatePackageVersion,
            string customMessage)
        {
            var status = PackageDeprecationStatus.NotDeprecated;

            if (isLegacy)
            {
                status |= PackageDeprecationStatus.Legacy;
            }

            if (hasCriticalBugs)
            {
                status |= PackageDeprecationStatus.CriticalBugs;
            }

            if (isOther)
            {
                if (string.IsNullOrWhiteSpace(customMessage))
                {
                    return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_CustomMessageRequired));
                }

                status |= PackageDeprecationStatus.Other;
            }

            var currentUser = GetCurrentUser();

            if (!_featureFlagService.IsManageDeprecationEnabled(GetCurrentUser()))
            {
                return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
            }

            if (versions == null || !versions.Any())
            {
                return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions));
            }

            var packages     = _packageService.FindPackagesById(id, PackageDeprecationFieldsToInclude.DeprecationAndRelationships);
            var registration = packages.FirstOrDefault()?.PackageRegistration;

            if (registration == null)
            {
                // This should only happen if someone hacks the form or if the package is deleted while the user is filling out the form.
                return(DeprecateErrorResponse(
                           HttpStatusCode.NotFound,
                           string.Format(Strings.DeprecatePackage_MissingRegistration, id)));
            }

            if (ActionsRequiringPermissions.DeprecatePackage.CheckPermissionsOnBehalfOfAnyAccount(currentUser, registration) != PermissionsCheckResult.Allowed)
            {
                return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
            }

            if (registration.IsLocked)
            {
                return(DeprecateErrorResponse(
                           HttpStatusCode.Forbidden,
                           string.Format(Strings.DeprecatePackage_Locked, id)));
            }

            PackageRegistration alternatePackageRegistration = null;
            Package             alternatePackage             = null;

            if (!string.IsNullOrWhiteSpace(alternatePackageId))
            {
                if (!string.IsNullOrWhiteSpace(alternatePackageVersion))
                {
                    alternatePackage = _packageService.FindPackageByIdAndVersionStrict(alternatePackageId, alternatePackageVersion);
                    if (alternatePackage == null)
                    {
                        return(DeprecateErrorResponse(
                                   HttpStatusCode.NotFound,
                                   string.Format(Strings.DeprecatePackage_NoAlternatePackage, alternatePackageId, alternatePackageVersion)));
                    }
                }
                else
                {
                    alternatePackageRegistration = _packageService.FindPackageRegistrationById(alternatePackageId);
                    if (alternatePackageRegistration == null)
                    {
                        return(DeprecateErrorResponse(
                                   HttpStatusCode.NotFound,
                                   string.Format(Strings.DeprecatePackage_NoAlternatePackageRegistration, alternatePackageId)));
                    }
                }
            }

            var packagesToUpdate = new List <Package>();

            foreach (var version in versions)
            {
                var normalizedVersion = NuGetVersionFormatter.Normalize(version);
                var package           = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
                if (package == null)
                {
                    // This should only happen if someone hacks the form or if a version of the package is deleted while the user is filling out the form.
                    return(DeprecateErrorResponse(
                               HttpStatusCode.NotFound,
                               string.Format(Strings.DeprecatePackage_MissingVersion, id)));
                }
                else
                {
                    packagesToUpdate.Add(package);
                }
            }

            await _deprecationService.UpdateDeprecation(
                packagesToUpdate,
                status,
                alternatePackageRegistration,
                alternatePackage,
                customMessage,
                currentUser);

            foreach (var packageToUpdate in packagesToUpdate)
            {
                await _auditingService.SaveAuditRecordAsync(
                    new PackageAuditRecord(
                        packageToUpdate,
                        status == PackageDeprecationStatus.NotDeprecated ? AuditedPackageAction.Undeprecate : AuditedPackageAction.Deprecate,
                        status == PackageDeprecationStatus.NotDeprecated ? PackageUndeprecatedVia.Web : PackageDeprecatedVia.Web));
            }

            return(Json(HttpStatusCode.OK));
        }
        public virtual async Task <JsonResult> Deprecate(
            string id,
            IEnumerable <string> versions,
            bool isVulnerable,
            bool isLegacy,
            bool isOther,
            IEnumerable <string> cveIds,
            decimal?cvssRating,
            IEnumerable <string> cweIds,
            string alternatePackageId,
            string alternatePackageVersion,
            string customMessage)
        {
            var currentUser = GetCurrentUser();

            if (!_featureFlagService.IsManageDeprecationEnabled(GetCurrentUser()))
            {
                return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
            }

            if (versions == null || !versions.Any())
            {
                return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions));
            }

            JsonResult vulnerabilityDetailIdsErrorResult;

            cveIds = cveIds ?? Enumerable.Empty <string>();
            if (!TryVerifyVulnerabilityDetailIds(
                    cveIds,
                    IsValidCveId,
                    Strings.DeprecatePackage_InvalidCve,
                    out vulnerabilityDetailIdsErrorResult))
            {
                return(vulnerabilityDetailIdsErrorResult);
            }

            cweIds = cweIds ?? Enumerable.Empty <string>();
            if (!TryVerifyVulnerabilityDetailIds(
                    cweIds,
                    IsValidCweId,
                    Strings.DeprecatePackage_InvalidCwe,
                    out vulnerabilityDetailIdsErrorResult))
            {
                return(vulnerabilityDetailIdsErrorResult);
            }

            if (cvssRating.HasValue && (cvssRating < 0 || cvssRating > 10))
            {
                return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_InvalidCvss));
            }

            var packages     = _packageService.FindPackagesById(id, PackageDeprecationFieldsToInclude.DeprecationAndRelationships);
            var registration = packages.FirstOrDefault()?.PackageRegistration;

            if (registration == null)
            {
                // This should only happen if someone hacks the form or if the package is deleted while the user is filling out the form.
                return(DeprecateErrorResponse(
                           HttpStatusCode.NotFound,
                           string.Format(Strings.DeprecatePackage_MissingRegistration, id)));
            }

            if (ActionsRequiringPermissions.DeprecatePackage.CheckPermissionsOnBehalfOfAnyAccount(currentUser, registration) != PermissionsCheckResult.Allowed)
            {
                return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
            }

            if (registration.IsLocked)
            {
                return(DeprecateErrorResponse(
                           HttpStatusCode.Forbidden,
                           string.Format(Strings.DeprecatePackage_Locked, id)));
            }

            PackageRegistration alternatePackageRegistration = null;
            Package             alternatePackage             = null;

            if (!string.IsNullOrWhiteSpace(alternatePackageId))
            {
                if (!string.IsNullOrWhiteSpace(alternatePackageVersion))
                {
                    alternatePackage = _packageService.FindPackageByIdAndVersionStrict(alternatePackageId, alternatePackageVersion);
                    if (alternatePackage == null)
                    {
                        return(DeprecateErrorResponse(
                                   HttpStatusCode.NotFound,
                                   string.Format(Strings.DeprecatePackage_NoAlternatePackage, alternatePackageId, alternatePackageVersion)));
                    }
                }
                else
                {
                    alternatePackageRegistration = _packageService.FindPackageRegistrationById(alternatePackageId);
                    if (alternatePackageRegistration == null)
                    {
                        return(DeprecateErrorResponse(
                                   HttpStatusCode.NotFound,
                                   string.Format(Strings.DeprecatePackage_NoAlternatePackageRegistration, alternatePackageId)));
                    }
                }
            }

            var packagesToUpdate = new List <Package>();

            foreach (var version in versions)
            {
                var normalizedVersion = NuGetVersionFormatter.Normalize(version);
                var package           = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
                if (package == null)
                {
                    // This should only happen if someone hacks the form or if a version of the package is deleted while the user is filling out the form.
                    return(DeprecateErrorResponse(
                               HttpStatusCode.NotFound,
                               string.Format(Strings.DeprecatePackage_MissingVersion, id)));
                }
                else
                {
                    packagesToUpdate.Add(package);
                }
            }

            var cves = await _deprecationService.GetOrCreateCvesByIdAsync(cveIds, commitChanges : false);

            IReadOnlyCollection <Cwe> cwes;

            try
            {
                cwes = _deprecationService.GetCwesById(cweIds);
            }
            catch (ArgumentException)
            {
                return(DeprecateErrorResponse(HttpStatusCode.NotFound, Strings.DeprecatePackage_CweMissing));
            }

            var status = PackageDeprecationStatus.NotDeprecated;

            if (isVulnerable)
            {
                status |= PackageDeprecationStatus.Vulnerable;
            }

            if (isLegacy)
            {
                status |= PackageDeprecationStatus.Legacy;
            }

            if (isOther)
            {
                status |= PackageDeprecationStatus.Other;
            }

            await _deprecationService.UpdateDeprecation(
                packagesToUpdate,
                status,
                cves,
                cvssRating,
                cwes,
                alternatePackageRegistration,
                alternatePackage,
                customMessage);

            return(Json(HttpStatusCode.OK));
        }