Merge pull request #37 from magento-gl/Arrows_IMS_17Mar23

Adobe IMS Phase 2 Security Fixes

Author: andimov

AdminAdobeIms/Controller/Adminhtml/OAuth/ImsCallback.php

@@ -16,6 +16,9 @@
 use Magento\Backend\Controller\Adminhtml\Auth;
 use Magento\Backend\Model\View\Result\Redirect;
 use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\ActionInterface;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\ResponseInterface;
 
 /**
  * Callback for handling redirect from Adobe IMS
@@ -57,6 +60,28 @@ public function __construct(
         $this->userContext = $userContext;
     }
 
+    /**
+     * Validate IMS state is valid
+     *
+     * @param RequestInterface $request
+     * @return ResponseInterface
+     */
+    public function dispatch(RequestInterface $request)
+    {
+        $request->setParam('form_key', $request->getParam('state', null));
+        if (!$this->_formKeyValidator->validate($request)) {
+            $this->logger->critical(__('Invalid state returned in callback from IMS.'));
+            $this->imsErrorMessage(
+                'Error signing in',
+                'Something went wrong and we could not sign you in. ' .
+                'Please try again or contact your administrator.'
+            );
+            $this->_actionFlag->set('', ActionInterface::FLAG_NO_DISPATCH, true);
+            return $this->_redirect($this->_helper->getHomePageUrl());
+        }
+        return parent::dispatch($request);
+    }
+
     /**
      * Execute AdobeIMS callback
      *

AdminAdobeIms/Controller/Adminhtml/OAuth/ImsReauthCallback.php

@@ -14,9 +14,11 @@
 use Magento\Backend\App\Action\Context;
 use Magento\Backend\Controller\Adminhtml\Auth;
 use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\RequestInterface;
 use Magento\Framework\Controller\Result\Raw;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\Controller\ResultInterface;
+use Magento\Framework\Exception\NotFoundException;
 
 class ImsReauthCallback extends Auth implements HttpGetActionInterface
 {
@@ -91,6 +93,7 @@ public function execute(): ResultInterface
         }
 
         try {
+            $this->validateStateKey($this->getRequest());
             $this->adminTokenUserService->processLoginRequest(true);
 
             $response = sprintf(
@@ -112,4 +115,19 @@ public function execute(): ResultInterface
 
         return $resultRaw;
     }
+
+    /**
+     * Validate IMS state is valid
+     *
+     * @param RequestInterface $request
+     * @return void
+     * @throws NotFoundException
+     */
+    private function validateStateKey(RequestInterface $request): void
+    {
+        $request->setParam('form_key', $request->getParam('state', null));
+        if (!$this->_formKeyValidator->validate($request)) {
+            throw new NotFoundException(__('Invalid state returned from IMS'));
+        }
+    }
 }

AdminAdobeIms/Plugin/UpdateUserFormFieldsPlugin.php

@@ -0,0 +1,72 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminAdobeIms\Plugin;
+
+use Magento\AdminAdobeIms\Service\ImsConfig;
+use Magento\Backend\Block\Widget\Form as WidgetForm;
+use Magento\Framework\Data\Form as DataForm;
+
+/**
+ * Plugin Class used to change the user form field to readonly for IMS users
+ */
+class UpdateUserFormFieldsPlugin
+{
+    /**
+     * @var ImsConfig
+     */
+    private ImsConfig $adminImsConfig;
+
+    /**
+     * @var array
+     */
+    private array $fieldsToReadonly = [
+        'email',
+        'username',
+        'firstname',
+        'lastname'
+    ];
+
+    /**
+     * @param ImsConfig $adminImsConfig
+     */
+    public function __construct(ImsConfig $adminImsConfig)
+    {
+        $this->adminImsConfig = $adminImsConfig;
+    }
+
+    /**
+     * Update fields to readonly if adobe ims is enabled
+     *
+     * @param WidgetForm $subject
+     * @param DataForm $result
+     * @return DataForm
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     * @SuppressWarnings(PHPMD.NPathComplexity)
+     */
+    public function afterGetForm(WidgetForm $subject, DataForm $result): DataForm
+    {
+        if ($this->adminImsConfig->enabled() === false) {
+            return $result;
+        }
+
+        if ($result->getElement('base_fieldset')) {
+            $disableLocaleField = false;
+            foreach ($result->getElement('base_fieldset')->getElements() as $element) {
+                if (in_array($element->getId(), $this->fieldsToReadonly, true) && $element->getValue()) {
+                    $disableLocaleField = true;
+                    $element->setData('readonly', true);
+                }
+                if ($element->getId() === 'interface_locale' && $disableLocaleField) {
+                    $element->setData('readonly', true);
+                }
+            }
+        }
+        return $result;
+    }
+}

AdminAdobeIms/Plugin/UserSavePlugin.php

@@ -9,7 +9,9 @@
 
 use Exception;
 use Magento\AdminAdobeIms\Service\ImsConfig;
+use Magento\User\Model\ResourceModel\User as UserResourceModel;
 use Magento\User\Model\User;
+use Magento\User\Model\UserFactory;
 
 class UserSavePlugin
 {
@@ -18,18 +20,35 @@ class UserSavePlugin
      */
     private ImsConfig $adminImsConfig;
 
+    /**
+     * @var UserFactory
+     */
+    private UserFactory $userFactory;
+
+    /**
+     * @var UserResourceModel
+     */
+    private UserResourceModel $userResource;
+
     /**
      * @param ImsConfig $adminImsConfig
+     * @param UserFactory $userFactory
+     * @param UserResourceModel $userResource
      */
     public function __construct(
-        ImsConfig $adminImsConfig
+        ImsConfig $adminImsConfig,
+        UserFactory $userFactory,
+        UserResourceModel $userResource
     ) {
         $this->adminImsConfig = $adminImsConfig;
+        $this->userFactory = $userFactory;
+        $this->userResource = $userResource;
     }
 
     /**
      * Generate a random password for new user when AdminAdobeIMS Module is enabled
      *
+     * And revert firstname, lastname, username, email, and InterfaceLocale to original for saved user.
      * We create a random password for the user, because User Object needs to have a password
      * and this way we do not need to update the db_schema or add a lot of complex preferences
      *
@@ -46,10 +65,31 @@ public function beforeBeforeSave(User $subject): array
         if (!$subject->getId()) {
             $subject->setPassword($this->generateRandomPassword());
         }
+        $this->revertReadonlyFieldsData($subject);
 
         return [];
     }
 
+    /**
+     * Revert fields to original state because these fields are readonly for IMS User
+     *
+     * @param User $subject
+     * @return void
+     */
+    private function revertReadonlyFieldsData(User $subject): void
+    {
+        if ($subject->hasDataChanges() && $subject->getId()) {
+            $savedUser = $this->userFactory->create();
+            $this->userResource->load($savedUser, $subject->getId());
+
+            $subject->setUserName($savedUser->getUserName());
+            $subject->setEmail($savedUser->getEmail());
+            $subject->setFirstName($savedUser->getFirstName());
+            $subject->setLastName($savedUser->getLastName());
+            $subject->setInterfaceLocale($savedUser->getInterfaceLocale());
+        }
+    }
+
     /**
      * Generate random password string
      *

AdminAdobeIms/Plugin/ValidateAccessTokenPlugin.php

@@ -0,0 +1,61 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminAdobeIms\Plugin;
+
+use Magento\AdminAdobeIms\Logger\AdminAdobeImsLogger;
+use Magento\AdobeImsApi\Api\IsTokenValidInterface;
+use Magento\Backend\Model\Auth;
+
+/**
+ * Validate ims access token
+ */
+class ValidateAccessTokenPlugin
+{
+    /**
+     * @var AdminAdobeImsLogger
+     */
+    private AdminAdobeImsLogger $logger;
+
+    /**
+     * @var IsTokenValidInterface
+     */
+    private IsTokenValidInterface $isTokenValid;
+
+    /**
+     * @param IsTokenValidInterface $isTokenValid
+     * @param AdminAdobeImsLogger $logger
+     */
+    public function __construct(
+        IsTokenValidInterface $isTokenValid,
+        AdminAdobeImsLogger $logger
+    ) {
+        $this->isTokenValid = $isTokenValid;
+        $this->logger = $logger;
+    }
+
+    /**
+     * Check if IMS access token is still valid
+     *
+     * @param Auth $subject
+     * @param bool $result
+     * @return bool
+     * @throws \Magento\Framework\Exception\AuthorizationException
+     */
+    public function afterIsLoggedIn(Auth $subject, bool $result): bool
+    {
+        $accessToken = $subject->getAuthStorage()->getAdobeAccessToken();
+        if ($result && $accessToken) {
+            if (!$this->isTokenValid->validateToken($accessToken)) {
+                $subject->logout();
+                $this->logger->error('Admin Access Token is not valid');
+                return false;
+            }
+        }
+        return $result;
+    }
+}