[OIDC 7] DB migration for federated credentials, associate policy with API key

[joelverhagen]

Important

This PR contains a DB migration. During deployment, we must execute Entity Framework DB migrations prior to deploying the new code.

Progress on #10212.
Depends on #10269.

This PR introduces database changes to support the OIDC feature. We are adding two new tables and adding a new column to the existing Credentials table.

• New table: FederatedCredentialPolicies - this stores criteria to evaluate a federated credentials like OIDC JWTs. See FederatedCredentialEvaluator to see how the columns are used.
  • Foreign key links to Users via the CreatedByUserKey and PackageOwnerUserKey columns.
  • There are two 1:N (one to many) relationships from user to federated credential policy, one to track who created the policy (user only) and one to track which package owner.
• New table: FederatedCredentials - this stored federated credentials that have been used, in order to detect token replay.
  • This table links to the FederatedCredentialPolicies table without a foreign key. If a policy is deleted, the federated credential record should not be removed, otherwise replay could occur. It is totally possible for a federated credential record to refer to a policy key that no longer exists. I added the column so we have a persistent record of the policy that was used to accept the federated credential. This can be used to correlate with existing records or make sense of audit logs.
  • This table has a unique index on the Identity string column so we can detect replay (duplicate uti or jti JWT claims).
• New column: optional FederatedCredentialPolicyKey on the Credentials table - this allows us to associate a policy with a short-lived API key that was created. In audit logs this will allow us to correlate a federated credential (JWT claims) with an API key that is used for a privileged action. Also, it allows us to delete short-lived API keys if the policy is deleted (manual revocation).
  • This is a new 1:N (one to many) relationship from policy to credential (API key). It is possible for API keys and other credential types to have no related policy. It is possible for a policy to have no related credentials. The application ensures only API keys relate to policies, although the DB schema does allow non-API key credentials to have a policy key (due to our generic Credentials table design).

SQL:

CREATE TABLE [dbo].[FederatedCredentialPolicies] (
    [Key] [int] NOT NULL IDENTITY,
    [Created] [datetime2](7) NOT NULL,
    [LastMatched] [datetime2](7),
    [TypeKey] [int] NOT NULL,
    [Criteria] [nvarchar](max) NOT NULL,
    [CreatedByUserKey] [int] NOT NULL,
    [PackageOwnerUserKey] [int] NOT NULL,
    CONSTRAINT [PK_dbo.FederatedCredentialPolicies] PRIMARY KEY ([Key])
)
CREATE INDEX [IX_CreatedByUserKey] ON [dbo].[FederatedCredentialPolicies]([CreatedByUserKey])
CREATE INDEX [IX_PackageOwnerUserKey] ON [dbo].[FederatedCredentialPolicies]([PackageOwnerUserKey])
CREATE TABLE [dbo].[FederatedCredentials] (
    [Key] [int] NOT NULL IDENTITY,
    [TypeKey] [int] NOT NULL,
    [FederatedCredentialPolicyKey] [int] NOT NULL,
    [Identity] [nvarchar](64),
    [Created] [datetime2](7) NOT NULL,
    [Expires] [datetime2](7),
    CONSTRAINT [PK_dbo.FederatedCredentials] PRIMARY KEY ([Key])
)
CREATE INDEX [IX_FederatedCredentialPolicyKey] ON [dbo].[FederatedCredentials]([FederatedCredentialPolicyKey])
CREATE UNIQUE INDEX [IX_Identity] ON [dbo].[FederatedCredentials]([Identity])
ALTER TABLE [dbo].[Credentials] ADD [FederatedCredentialPolicyKey] [int]
CREATE INDEX [IX_FederatedCredentialPolicyKey] ON [dbo].[Credentials]([FederatedCredentialPolicyKey])
ALTER TABLE [dbo].[Credentials] ADD CONSTRAINT [FK_dbo.Credentials_dbo.FederatedCredentialPolicies_FederatedCredentialPolicyKey] FOREIGN KEY ([FederatedCredentialPolicyKey]) REFERENCES [dbo].[FederatedCredentialPolicies] ([Key])
ALTER TABLE [dbo].[FederatedCredentialPolicies] ADD CONSTRAINT [FK_dbo.FederatedCredentialPolicies_dbo.Users_CreatedByUserKey] FOREIGN KEY ([CreatedByUserKey]) REFERENCES [dbo].[Users] ([Key])
ALTER TABLE [dbo].[FederatedCredentialPolicies] ADD CONSTRAINT [FK_dbo.FederatedCredentialPolicies_dbo.Users_PackageOwnerUserKey] FOREIGN KEY ([PackageOwnerUserKey]) REFERENCES [dbo].[Users] ([Key])