Add ownership requests to manage packages page (#4722 from NuGet/sb-o…

…wnerrequests2

src/NuGetGallery.Core/Entities/PackageOwnerRequest.cs

@@ -9,9 +9,10 @@ public class PackageOwnerRequest
         : IEntity
     {
         public int PackageRegistrationKey { get; set; }
+        public virtual PackageRegistration PackageRegistration { get; set; }
         public int NewOwnerKey { get; set; }
-        public User NewOwner { get; set; }
-        public User RequestingOwner { get; set; }
+        public virtual User NewOwner { get; set; }
+        public virtual User RequestingOwner { get; set; }
         public int RequestingOwnerKey { get; set; }
         public string ConfirmationCode { get; set; }
         public DateTime RequestDate { get; set; }

src/NuGetGallery/App_Start/DefaultDependenciesModule.cs

@@ -175,6 +175,11 @@ protected override void Load(ContainerBuilder builder)
                 .AsSelf()
                 .InstancePerLifetimeScope();
 
+            builder.RegisterType<PackageOwnerRequestService>()
+                .AsSelf()
+                .As<IPackageOwnerRequestService>()
+                .InstancePerLifetimeScope();
+
             builder.RegisterType<FormsAuthenticationService>()
                 .As<IFormsAuthenticationService>()
                 .InstancePerLifetimeScope();

src/NuGetGallery/App_Start/Routes.cs

@@ -147,7 +147,17 @@ public static void RegisterUIRoutes(RouteCollection routes)
             routes.MapRoute(
                 RouteName.PackageOwnerConfirmation,
                 "packages/{id}/owners/{username}/confirm/{token}",
-                new { controller = "Packages", action = "ConfirmOwner" });
+                new { controller = "Packages", action = "ConfirmPendingOwnershipRequest" });
+
+            routes.MapRoute(
+                RouteName.PackageOwnerRejection,
+                "packages/{id}/owners/{username}/reject/{token}",
+                new { controller = "Packages", action = "RejectPendingOwnershipRequest" });
+
+            routes.MapRoute(
+                RouteName.PackageOwnerCancellation,
+                "packages/{id}/owners/{username}/cancel/{token}",
+                new { controller = "Packages", action = "CancelPendingOwnershipRequest" });
 
             // We need the following two routes (rather than just one) due to Routing's
             // Consecutive Optional Parameter bug. :(

src/NuGetGallery/Controllers/AuthenticationController.cs

@@ -255,9 +255,7 @@ public virtual async Task<ActionResult> Register(LogOnViewModel model, string re
             {
                 _messageService.SendNewAccountEmail(
                     new MailAddress(user.User.UnconfirmedEmailAddress, user.User.Username),
-                    Url.ConfirmationUrl(
-                        "Confirm",
-                        "Users",
+                    Url.ConfirmEmail(
                         user.User.Username,
                         user.User.EmailConfirmationToken,
                         relativeUrl: false));

src/NuGetGallery/Controllers/JsonApiController.cs

@@ -19,7 +19,7 @@ public partial class JsonApiController
         : AppController
     {
         private readonly IMessageService _messageService;
-        private readonly IEntityRepository<PackageOwnerRequest> _packageOwnerRequestRepository;
+        private readonly IPackageOwnerRequestService _packageOwnerRequestService;
         private readonly IPackageService _packageService;
         private readonly IUserService _userService;
         private readonly IAppConfiguration _appConfiguration;
@@ -28,14 +28,14 @@ public partial class JsonApiController
         public JsonApiController(
             IPackageService packageService,
             IUserService userService,
-            IEntityRepository<PackageOwnerRequest> packageOwnerRequestRepository,
+            IPackageOwnerRequestService packageOwnerRequestService,
             IMessageService messageService,
             IAppConfiguration appConfiguration,
             ISecurityPolicyService policyService)
         {
             _packageService = packageService;
             _userService = userService;
-            _packageOwnerRequestRepository = packageOwnerRequestRepository;
+            _packageOwnerRequestService = packageOwnerRequestService;
             _messageService = messageService;
             _appConfiguration = appConfiguration;
             _policyService = policyService;
@@ -64,15 +64,15 @@ public virtual ActionResult GetPackageOwners(string id, string version)
                                  Pending = false
                              };
 
-            var pending = from u in _packageOwnerRequestRepository.GetAll()
-                          where u.PackageRegistrationKey == package.PackageRegistration.Key
-                          select new
-                              {
-                                  Name = u.NewOwner.Username,
-                                  EmailAddress = u.NewOwner.EmailAddress,
-                                  Current = false,
-                                  Pending = true
-                              };
+            var pending = 
+                _packageOwnerRequestService.GetPackageOwnershipRequests(package: package.PackageRegistration)
+                .Select(r => new
+                {
+                    Name = r.NewOwner.Username,
+                    EmailAddress = r.NewOwner.EmailAddress,
+                    Current = false,
+                    Pending = true
+                });
 
             var result = owners.Union(pending).Select(o => new
             {
@@ -113,20 +113,27 @@ public async Task<JsonResult> AddPackageOwner(string id, string username, string
             if (TryGetManagePackageOwnerModel(id, username, out model))
             {
                 var encodedMessage = HttpUtility.HtmlEncode(message);
-                var ownerRequest = await _packageService.CreatePackageOwnerRequestAsync(
+
+                var ownerRequest = await _packageOwnerRequestService.AddPackageOwnershipRequest(
                     model.Package, model.CurrentUser, model.User);
-                var confirmationUrl = Url.ConfirmationUrl(
-                    "ConfirmOwner",
-                    "Packages",
+
+                var confirmationUrl = Url.ConfirmPendingOwnershipRequest(
+                    model.Package.Id,
+                    model.User.Username,
+                    ownerRequest.ConfirmationCode,
+                    relativeUrl: false);
+
+                var rejectionUrl = Url.RejectPendingOwnershipRequest(
+                    model.Package.Id,
                     model.User.Username,
                     ownerRequest.ConfirmationCode,
-                    new { id = model.Package.Id },
                     relativeUrl: false);
+
                 var packageUrl = Url.Package(model.Package.Id, version: null, relativeUrl: false);
                 var policyMessage = GetNoticeOfPoliciesRequiredMessage(model.Package, model.User, model.CurrentUser);
 
                 _messageService.SendPackageOwnerRequest(model.CurrentUser, model.User, model.Package, packageUrl,
-                    confirmationUrl, encodedMessage, policyMessage);
+                    confirmationUrl, rejectionUrl, encodedMessage, policyMessage);
 
                 return Json(new
                 {
@@ -150,9 +157,18 @@ public async Task<JsonResult> RemovePackageOwner(string id, string username)
             ManagePackageOwnerModel model;
             if (TryGetManagePackageOwnerModel(id, username, out model))
             {
+                var request = _packageOwnerRequestService.GetPackageOwnershipRequests(package: model.Package, newOwner: model.User).FirstOrDefault();
+
                 await _packageService.RemovePackageOwnerAsync(model.Package, model.User);
 
-                _messageService.SendPackageOwnerRemovedNotice(model.CurrentUser, model.User, model.Package);
+                if (request == null)
+                {
+                    _messageService.SendPackageOwnerRemovedNotice(model.CurrentUser, model.User, model.Package);
+                }
+                else
+                {
+                    _messageService.SendPackageOwnerRequestCancellationNotice(model.CurrentUser, model.User, model.Package);
+                }
 
                 return Json(new { success = true });
             }
@@ -241,8 +257,7 @@ private IEnumerable<string> GetPropagatingOwners(PackageRegistration package)
 
         private IEnumerable<string> GetPendingPropagatingOwners(PackageRegistration package)
         {
-            return _packageOwnerRequestRepository.GetAll()
-                .Where(po => po.PackageRegistrationKey == package.Key)
+            return _packageOwnerRequestService.GetPackageOwnershipRequests(package: package)
                 .Select(po => po.NewOwner)
                 .Where(RequireSecurePushForCoOwnersPolicy.IsSubscribed)
                 .Select(po => po.Username);

src/NuGetGallery/Controllers/PackagesController.cs

@@ -44,9 +44,11 @@ public partial class PackagesController
         private readonly IAppConfiguration _config;
         private readonly IMessageService _messageService;
         private readonly IPackageService _packageService;
+        private readonly IPackageOwnerRequestService _packageOwnerRequestService;
         private readonly IPackageFileService _packageFileService;
         private readonly ISearchService _searchService;
         private readonly IUploadFileService _uploadFileService;
+        private readonly IUserService _userService;
         private readonly IEntitiesContext _entitiesContext;
         private readonly IIndexingService _indexingService;
         private readonly ICacheService _cacheService;
@@ -62,7 +64,9 @@ public partial class PackagesController
 
         public PackagesController(
             IPackageService packageService,
+            IPackageOwnerRequestService packageOwnerRequestService,
             IUploadFileService uploadFileService,
+            IUserService userService,
             IMessageService messageService,
             ISearchService searchService,
             IAutomaticallyCuratePackageCommand autoCuratedPackageCmd,
@@ -82,7 +86,9 @@ public PackagesController(
             IReadMeService readMeService)
         {
             _packageService = packageService;
+            _packageOwnerRequestService = packageOwnerRequestService;
             _uploadFileService = uploadFileService;
+            _userService = userService;
             _messageService = messageService;
             _searchService = searchService;
             _autoCuratedPackageCmd = autoCuratedPackageCmd;
@@ -1114,18 +1120,32 @@ public virtual async Task<JsonResult> Edit(string id, string version, VerifyPack
             });
         }
 
+        [HttpGet]
         [Authorize]
         [RequiresAccountConfirmation("accept ownership of a package")]
-        public virtual async Task<ActionResult> ConfirmOwner(string id, string username, string token)
+        public virtual Task<ActionResult> ConfirmPendingOwnershipRequest(string id, string username, string token)
+        {
+            return HandleOwnershipRequest(id, username, token, accept: true);
+        }
+
+        [HttpGet]
+        [Authorize]
+        [RequiresAccountConfirmation("reject ownership of a package")]
+        public virtual Task<ActionResult> RejectPendingOwnershipRequest(string id, string username, string token)
         {
-            if (String.IsNullOrEmpty(token))
+            return HandleOwnershipRequest(id, username, token, accept: false);
+        }
+
+        private async Task<ActionResult> HandleOwnershipRequest(string id, string username, string token, bool accept)
+        {
+            if (string.IsNullOrEmpty(token))
             {
                 return HttpNotFound();
             }
 
-            if (!String.Equals(username, User.Identity.Name, StringComparison.OrdinalIgnoreCase))
+            if (!string.Equals(username, User.Identity.Name, StringComparison.OrdinalIgnoreCase))
             {
-                return View(new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.NotYourRequest));
+                return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.NotYourRequest));
             }
 
             var package = _packageService.FindPackageRegistrationById(id);
@@ -1137,21 +1157,72 @@ public virtual async Task<ActionResult> ConfirmOwner(string id, string username,
             var user = GetCurrentUser();
             if (package.IsOwner(user))
             {
-                return View(new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.AlreadyOwner));
+                return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.AlreadyOwner));
+            }
+
+            var request = _packageOwnerRequestService.GetPackageOwnershipRequest(package, user, token);
+            if (request == null)
+            {
+                return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.Failure));
+            }
+
+            if (accept)
+            {
+                var result = await HandleSecurePushPropagation(package, user);
+
+                await _packageService.AddPackageOwnerAsync(package, user);
+
+                SendAddPackageOwnerNotification(package, user, result.Item1, result.Item2);
+
+                return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.Success));
+            }
+            else
+            {
+                var requestingUser = request.RequestingOwner;
+
+                await _packageService.RemovePackageOwnerAsync(package, user);
+
+                _messageService.SendPackageOwnerRequestRejectionNotice(requestingUser, user, package);
+
+                return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.Rejected));
             }
+        }
 
-            if (!_packageService.IsValidPackageOwnerRequest(package, user, token))
+        [HttpGet]
+        [Authorize]
+        [RequiresAccountConfirmation("cancel pending ownership request")]
+        public virtual async Task<ActionResult> CancelPendingOwnershipRequest(string id, string requestingUsername, string pendingUsername)
+        {
+            if (!string.Equals(requestingUsername, User.Identity.Name, StringComparison.OrdinalIgnoreCase))
             {
-                return View(new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.Failure));
+                return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, requestingUsername, ConfirmOwnershipResult.NotYourRequest));
             }
 
-            var result = await HandleSecurePushPropagation(package, user);
+            var package = _packageService.FindPackageRegistrationById(id);
+            if (package == null)
+            {
+                return HttpNotFound();
+            }
+
+            var requestingUser = GetCurrentUser();
+
+            var pendingUser = _userService.FindByUsername(pendingUsername);
+            if (pendingUser == null)
+            {
+                return HttpNotFound();
+            }
+
+            var request = _packageOwnerRequestService.GetPackageOwnershipRequests(package, requestingUser, pendingUser).FirstOrDefault();
+            if (request == null)
+            {
+                return HttpNotFound();
+            }
 
-            await _packageService.AddPackageOwnerAsync(package, user);
+            await _packageOwnerRequestService.DeletePackageOwnershipRequest(request);
 
-            SendAddPackageOwnerNotification(package, user, result.Item1, result.Item2);
+            _messageService.SendPackageOwnerRequestCancellationNotice(requestingUser, pendingUser, package);
 
-            return View(new PackageOwnerConfirmationModel(id, username, ConfirmOwnershipResult.Success));
+            return View("ConfirmOwner", new PackageOwnerConfirmationModel(id, pendingUsername, ConfirmOwnershipResult.Cancelled));
         }
 
         /// <summary>

src/NuGetGallery/Controllers/UsersController.cs

@@ -21,6 +21,7 @@ public partial class UsersController
         private readonly IUserService _userService;
         private readonly IMessageService _messageService;
         private readonly IPackageService _packageService;
+        private readonly IPackageOwnerRequestService _packageOwnerRequestService;
         private readonly IAppConfiguration _config;
         private readonly AuthenticationService _authService;
         private readonly ICredentialBuilder _credentialBuilder;
@@ -29,6 +30,7 @@ public UsersController(
             ICuratedFeedService feedsQuery,
             IUserService userService,
             IPackageService packageService,
+            IPackageOwnerRequestService packageOwnerRequestService,
             IMessageService messageService,
             IAppConfiguration config,
             AuthenticationService authService,
@@ -37,6 +39,7 @@ public UsersController(
             _curatedFeedService = feedsQuery ?? throw new ArgumentNullException(nameof(feedsQuery));
             _userService = userService ?? throw new ArgumentNullException(nameof(userService));
             _packageService = packageService ?? throw new ArgumentNullException(nameof(packageService));
+            _packageOwnerRequestService = packageOwnerRequestService ?? throw new ArgumentNullException(nameof(packageOwnerRequestService));
             _messageService = messageService ?? throw new ArgumentNullException(nameof(messageService));
             _config = config ?? throw new ArgumentNullException(nameof(config));
             _authService = authService ?? throw new ArgumentNullException(nameof(authService));
@@ -58,8 +61,7 @@ public virtual ActionResult ConfirmationRequired()
         public virtual ActionResult ConfirmationRequiredPost()
         {
             User user = GetCurrentUser();
-            var confirmationUrl = Url.ConfirmationUrl(
-                "Confirm", "Users", user.Username, user.EmailConfirmationToken, relativeUrl: false);
+            var confirmationUrl = Url.ConfirmEmail(user.Username, user.EmailConfirmationToken, relativeUrl: false);
 
             var alreadyConfirmed = user.UnconfirmedEmailAddress == null;
 
@@ -155,9 +157,15 @@ public virtual ActionResult Packages()
             var packages = _packageService.FindPackagesByOwner(user, includeUnlisted: true)
                 .Select(p => new ListPackageItemViewModel(p)).OrderBy(p => p.Id).ToList();
 
+            var incoming = _packageOwnerRequestService.GetPackageOwnershipRequests(newOwner: user);
+            var outgoing = _packageOwnerRequestService.GetPackageOwnershipRequests(requestingOwner: user);
+
+            var ownerRequests = new OwnerRequestsViewModel(incoming, outgoing, user, _packageService);
+
             var model = new ManagePackagesViewModel
             {
-                Packages = packages
+                Packages = packages,
+                OwnerRequests = ownerRequests
             };
             return View(model);
         }
@@ -389,8 +397,7 @@ public virtual async Task<ActionResult> ChangeEmail(AccountViewModel model)
 
             if (user.Confirmed)
             {
-                var confirmationUrl = Url.ConfirmationUrl(
-                    "Confirm", "Users", user.Username, user.EmailConfirmationToken, relativeUrl: false);
+                var confirmationUrl = Url.ConfirmEmail(user.Username, user.EmailConfirmationToken, relativeUrl: false);
                 _messageService.SendEmailChangeConfirmationNotice(new MailAddress(user.UnconfirmedEmailAddress, user.Username), confirmationUrl);
 
                 TempData["Message"] = Strings.EmailUpdated_ConfirmationRequired;
@@ -751,12 +758,10 @@ private static int CountLoginCredentials(User user)
 
         private ActionResult SendPasswordResetEmail(User user, bool forgotPassword)
         {
-            var resetPasswordUrl = Url.ConfirmationUrl(
-                "ResetPassword",
-                "Users",
+            var resetPasswordUrl = Url.ResetEmailOrPassword(
                 user.Username,
                 user.PasswordResetToken,
-                new { forgot = forgotPassword },
+                forgotPassword,
                 relativeUrl: false);
             _messageService.SendPasswordResetInstructions(user, resetPasswordUrl, forgotPassword);