public virtual async Task <JsonResult> Deprecate(
DeprecatePackageRequest request)
{
var status = PackageDeprecationStatus.NotDeprecated;
if (request.IsLegacy)
{
status |= PackageDeprecationStatus.Legacy;
}
if (request.HasCriticalBugs)
{
status |= PackageDeprecationStatus.CriticalBugs;
}
var customMessage = request.CustomMessage;
if (request.IsOther)
{
if (string.IsNullOrWhiteSpace(customMessage))
{
return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_CustomMessageRequired));
}
status |= PackageDeprecationStatus.Other;
}
if (customMessage != null)
{
if (customMessage.Length > MaxCustomMessageLength)
{
return(DeprecateErrorResponse(
HttpStatusCode.BadRequest,
string.Format(Strings.DeprecatePackage_CustomMessageTooLong, MaxCustomMessageLength)));
}
}
if (request.Versions == null || !request.Versions.Any())
{
return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions));
}
var packages = _packageService.FindPackagesById(request.Id, PackageDeprecationFieldsToInclude.DeprecationAndRelationships);
var registration = packages.FirstOrDefault()?.PackageRegistration;
if (registration == null)
{
// This should only happen if someone hacks the form or if the package is deleted while the user is filling out the form.
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_MissingRegistration, request.Id)));
}
var currentUser = GetCurrentUser();
if (!_featureFlagService.IsManageDeprecationEnabled(GetCurrentUser(), registration))
{
return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
}
if (ActionsRequiringPermissions.DeprecatePackage.CheckPermissionsOnBehalfOfAnyAccount(currentUser, registration) != PermissionsCheckResult.Allowed)
{
return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
}
if (registration.IsLocked)
{
return(DeprecateErrorResponse(
HttpStatusCode.Forbidden,
string.Format(Strings.DeprecatePackage_Locked, request.Id)));
}
PackageRegistration alternatePackageRegistration = null;
Package alternatePackage = null;
if (!string.IsNullOrWhiteSpace(request.AlternatePackageId))
{
if (!string.IsNullOrWhiteSpace(request.AlternatePackageVersion))
{
alternatePackage = _packageService.FindPackageByIdAndVersionStrict(request.AlternatePackageId, request.AlternatePackageVersion);
if (alternatePackage == null)
{
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_NoAlternatePackage, request.AlternatePackageId, request.AlternatePackageVersion)));
}
}
else
{
alternatePackageRegistration = _packageService.FindPackageRegistrationById(request.AlternatePackageId);
if (alternatePackageRegistration == null)
{
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_NoAlternatePackageRegistration, request.AlternatePackageId)));
}
}
}
var packagesToUpdate = new List <Package>();
foreach (var version in request.Versions)
{
var normalizedVersion = NuGetVersionFormatter.Normalize(version);
var package = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
if (package == null)
{
// This should only happen if someone hacks the form or if a version of the package is deleted while the user is filling out the form.
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_MissingVersion, request.Id)));
}
else
{
packagesToUpdate.Add(package);
}
}
if (alternatePackage != null && packagesToUpdate.Any(p => p == alternatePackage))
{
return(DeprecateErrorResponse(
HttpStatusCode.BadRequest,
Strings.DeprecatePackage_AlternateOfSelf));
}
await _deprecationService.UpdateDeprecation(
packagesToUpdate,
status,
alternatePackageRegistration,
alternatePackage,
customMessage,
currentUser);
return(Json(HttpStatusCode.OK));
}
public virtual async Task <JsonResult> Deprecate(
string id,
IEnumerable <string> versions,
bool isLegacy,
bool hasCriticalBugs,
bool isOther,
string alternatePackageId,
string alternatePackageVersion,
string customMessage)
{
var status = PackageDeprecationStatus.NotDeprecated;
if (isLegacy)
{
status |= PackageDeprecationStatus.Legacy;
}
if (hasCriticalBugs)
{
status |= PackageDeprecationStatus.CriticalBugs;
}
if (isOther)
{
if (string.IsNullOrWhiteSpace(customMessage))
{
return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_CustomMessageRequired));
}
status |= PackageDeprecationStatus.Other;
}
var currentUser = GetCurrentUser();
if (!_featureFlagService.IsManageDeprecationEnabled(GetCurrentUser()))
{
return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
}
if (versions == null || !versions.Any())
{
return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions));
}
var packages = _packageService.FindPackagesById(id, PackageDeprecationFieldsToInclude.DeprecationAndRelationships);
var registration = packages.FirstOrDefault()?.PackageRegistration;
if (registration == null)
{
// This should only happen if someone hacks the form or if the package is deleted while the user is filling out the form.
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_MissingRegistration, id)));
}
if (ActionsRequiringPermissions.DeprecatePackage.CheckPermissionsOnBehalfOfAnyAccount(currentUser, registration) != PermissionsCheckResult.Allowed)
{
return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
}
if (registration.IsLocked)
{
return(DeprecateErrorResponse(
HttpStatusCode.Forbidden,
string.Format(Strings.DeprecatePackage_Locked, id)));
}
PackageRegistration alternatePackageRegistration = null;
Package alternatePackage = null;
if (!string.IsNullOrWhiteSpace(alternatePackageId))
{
if (!string.IsNullOrWhiteSpace(alternatePackageVersion))
{
alternatePackage = _packageService.FindPackageByIdAndVersionStrict(alternatePackageId, alternatePackageVersion);
if (alternatePackage == null)
{
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_NoAlternatePackage, alternatePackageId, alternatePackageVersion)));
}
}
else
{
alternatePackageRegistration = _packageService.FindPackageRegistrationById(alternatePackageId);
if (alternatePackageRegistration == null)
{
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_NoAlternatePackageRegistration, alternatePackageId)));
}
}
}
var packagesToUpdate = new List <Package>();
foreach (var version in versions)
{
var normalizedVersion = NuGetVersionFormatter.Normalize(version);
var package = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
if (package == null)
{
// This should only happen if someone hacks the form or if a version of the package is deleted while the user is filling out the form.
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_MissingVersion, id)));
}
else
{
packagesToUpdate.Add(package);
}
}
await _deprecationService.UpdateDeprecation(
packagesToUpdate,
status,
alternatePackageRegistration,
alternatePackage,
customMessage,
currentUser);
foreach (var packageToUpdate in packagesToUpdate)
{
await _auditingService.SaveAuditRecordAsync(
new PackageAuditRecord(
packageToUpdate,
status == PackageDeprecationStatus.NotDeprecated ? AuditedPackageAction.Undeprecate : AuditedPackageAction.Deprecate,
status == PackageDeprecationStatus.NotDeprecated ? PackageUndeprecatedVia.Web : PackageDeprecatedVia.Web));
}
return(Json(HttpStatusCode.OK));
}
public virtual async Task <JsonResult> Deprecate(
string id,
IEnumerable <string> versions,
bool isVulnerable,
bool isLegacy,
bool isOther,
IEnumerable <string> cveIds,
decimal?cvssRating,
IEnumerable <string> cweIds,
string alternatePackageId,
string alternatePackageVersion,
string customMessage)
{
var currentUser = GetCurrentUser();
if (!_featureFlagService.IsManageDeprecationEnabled(GetCurrentUser()))
{
return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
}
if (versions == null || !versions.Any())
{
return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions));
}
JsonResult vulnerabilityDetailIdsErrorResult;
cveIds = cveIds ?? Enumerable.Empty <string>();
if (!TryVerifyVulnerabilityDetailIds(
cveIds,
IsValidCveId,
Strings.DeprecatePackage_InvalidCve,
out vulnerabilityDetailIdsErrorResult))
{
return(vulnerabilityDetailIdsErrorResult);
}
cweIds = cweIds ?? Enumerable.Empty <string>();
if (!TryVerifyVulnerabilityDetailIds(
cweIds,
IsValidCweId,
Strings.DeprecatePackage_InvalidCwe,
out vulnerabilityDetailIdsErrorResult))
{
return(vulnerabilityDetailIdsErrorResult);
}
if (cvssRating.HasValue && (cvssRating < 0 || cvssRating > 10))
{
return(DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_InvalidCvss));
}
var packages = _packageService.FindPackagesById(id, PackageDeprecationFieldsToInclude.DeprecationAndRelationships);
var registration = packages.FirstOrDefault()?.PackageRegistration;
if (registration == null)
{
// This should only happen if someone hacks the form or if the package is deleted while the user is filling out the form.
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_MissingRegistration, id)));
}
if (ActionsRequiringPermissions.DeprecatePackage.CheckPermissionsOnBehalfOfAnyAccount(currentUser, registration) != PermissionsCheckResult.Allowed)
{
return(DeprecateErrorResponse(HttpStatusCode.Forbidden, Strings.DeprecatePackage_Forbidden));
}
if (registration.IsLocked)
{
return(DeprecateErrorResponse(
HttpStatusCode.Forbidden,
string.Format(Strings.DeprecatePackage_Locked, id)));
}
PackageRegistration alternatePackageRegistration = null;
Package alternatePackage = null;
if (!string.IsNullOrWhiteSpace(alternatePackageId))
{
if (!string.IsNullOrWhiteSpace(alternatePackageVersion))
{
alternatePackage = _packageService.FindPackageByIdAndVersionStrict(alternatePackageId, alternatePackageVersion);
if (alternatePackage == null)
{
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_NoAlternatePackage, alternatePackageId, alternatePackageVersion)));
}
}
else
{
alternatePackageRegistration = _packageService.FindPackageRegistrationById(alternatePackageId);
if (alternatePackageRegistration == null)
{
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_NoAlternatePackageRegistration, alternatePackageId)));
}
}
}
var packagesToUpdate = new List <Package>();
foreach (var version in versions)
{
var normalizedVersion = NuGetVersionFormatter.Normalize(version);
var package = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
if (package == null)
{
// This should only happen if someone hacks the form or if a version of the package is deleted while the user is filling out the form.
return(DeprecateErrorResponse(
HttpStatusCode.NotFound,
string.Format(Strings.DeprecatePackage_MissingVersion, id)));
}
else
{
packagesToUpdate.Add(package);
}
}
var cves = await _deprecationService.GetOrCreateCvesByIdAsync(cveIds, commitChanges : false);
IReadOnlyCollection <Cwe> cwes;
try
{
cwes = _deprecationService.GetCwesById(cweIds);
}
catch (ArgumentException)
{
return(DeprecateErrorResponse(HttpStatusCode.NotFound, Strings.DeprecatePackage_CweMissing));
}
var status = PackageDeprecationStatus.NotDeprecated;
if (isVulnerable)
{
status |= PackageDeprecationStatus.Vulnerable;
}
if (isLegacy)
{
status |= PackageDeprecationStatus.Legacy;
}
if (isOther)
{
status |= PackageDeprecationStatus.Other;
}
await _deprecationService.UpdateDeprecation(
packagesToUpdate,
status,
cves,
cvssRating,
cwes,
alternatePackageRegistration,
alternatePackage,
customMessage);
return(Json(HttpStatusCode.OK));
}