MQE-1354: bug fix in command.php

jilu1 · jilu1 · commit fe2feaec0218 · 2018-12-07T10:10:00.000-06:00
diff --git a/etc/config/command.php b/etc/config/command.php
@@ -4,34 +4,51 @@
  * See COPYING.txt for license details.
  */
 
-if (isset($_POST['command'])) {
+require_once __DIR__ . '/../../../../app/bootstrap.php';
+
+if (isset($_POST['token']) && isset($_POST['command'])) {
+    $magentoObjectManagerFactory = \Magento\Framework\App\Bootstrap::createObjectManagerFactory(BP, $_SERVER);
+    $magentoObjectManager = $magentoObjectManagerFactory->create($_SERVER);
+    $tokenModel = $magentoObjectManager->get(\Magento\Integration\Model\Oauth\Token::class);
+
+    $tokenPassedIn = urldecode($_POST['token']);
     $command = urldecode($_POST['command']);
+
     if (array_key_exists("arguments", $_POST)) {
-        $arguments = urldecode($_POST['arguments']);
+        $arguments = escapeshellarg(urldecode($_POST['arguments']));
     } else {
         $arguments = null;
     }
-    $php = PHP_BINDIR ? PHP_BINDIR . '/php' : 'php';
-    $valid = validateCommand($command);
-    if ($valid) {
-        exec(
-            escapeCommand($php . ' -f ../../../../bin/magento ' . $command) . " $arguments" ." 2>&1",
-            $output,
-            $exitCode
-        );
-        if ($exitCode == 0) {
-            http_response_code(202);
+
+    // Token returned will be null if the token we passed in is invalid
+    $tokenFromMagento = $tokenModel->loadByToken($tokenPassedIn)->getToken();
+    if (!empty($tokenFromMagento) && ($tokenFromMagento == $tokenPassedIn)) {
+        $php = PHP_BINDIR ? PHP_BINDIR . '/php' : 'php';
+        $magentoBinary = $php . ' -f ../../../../bin/magento';
+        $valid = validateCommand($magentoBinary, $command);
+        if ($valid) {
+            exec(
+                escapeCommand($magentoBinary . " $command" . " $arguments") . " 2>&1",
+                $output,
+                $exitCode
+            );
+            if ($exitCode == 0) {
+                http_response_code(202);
+            } else {
+                http_response_code(500);
+            }
+            echo implode("\n", $output);
         } else {
-            http_response_code(500);
+            http_response_code(403);
+            echo "Given command not found valid in Magento CLI Command list.";
         }
-        echo implode("\n", $output);
     } else {
-        http_response_code(403);
-        echo "Given command not found valid in Magento CLI Command list.";
+        http_response_code(401);
+        echo("Command not unauthorized.");
     }
 } else {
     http_response_code(412);
-    echo("Command parameter is not set.");
+    echo("Required parameters are not set.");
 }
 
 /**
@@ -55,13 +72,13 @@ function escapeCommand($command)
 
 /**
  * Checks magento list of CLI commands for given $command. Does not check command parameters, just base command.
+ * @param string $magentoBinary
  * @param string $command
  * @return bool
  */
-function validateCommand($command)
+function validateCommand($magentoBinary, $command)
 {
-    $php = PHP_BINDIR ? PHP_BINDIR . '/php' : 'php';
-    exec($php . ' -f ../../../../bin/magento list', $commandList);
+    exec($magentoBinary . ' list', $commandList);
     // Trim list of commands after first whitespace
     $commandList = array_map("trimAfterWhitespace", $commandList);
     return in_array(trimAfterWhitespace($command), $commandList);
diff --git a/src/Magento/FunctionalTestingFramework/DataGenerator/Persist/Curl/WebapiExecutor.php b/src/Magento/FunctionalTestingFramework/DataGenerator/Persist/Curl/WebapiExecutor.php
@@ -51,6 +51,13 @@ class WebapiExecutor extends AbstractExecutor implements CurlInterface
      */
     private $storeCode;
 
+    /**
+     * Admin user auth token.
+     *
+     * @var string
+     */
+    private $authToken;
+
     /**
      * WebapiExecutor Constructor.
      *
@@ -64,12 +71,13 @@ public function __construct($storeCode = null)
         }
 
         $this->storeCode = $storeCode;
+        $this->authToken = null;
         $this->transport = new CurlTransport();
         $this->authorize();
     }
 
     /**
-     * Returns the authorization token needed for some requests via REST call.
+     * Acquire and store the authorization token needed for REST requests.
      *
      * @return void
      * @throws TestFrameworkException
@@ -83,10 +91,8 @@ protected function authorize()
         ];
 
         $this->transport->write($authUrl, json_encode($authCreds), CurlInterface::POST, $this->headers);
-        $this->headers = array_merge(
-            ['Authorization: Bearer ' . str_replace('"', "", $this->read())],
-            $this->headers
-        );
+        $this->authToken = str_replace('"', "", $this->read());
+        $this->headers = array_merge(['Authorization: Bearer ' . $this->authToken], $this->headers);
     }
 
     /**
@@ -159,4 +165,15 @@ public function getFormattedUrl($resource)
         $urlResult.= trim($resource, "/");
         return $urlResult;
     }
+
+    /**
+     * Return admin auth token.
+     *
+     * @throws TestFrameworkException
+     * @return string
+     */
+    public function getAuthToken()
+    {
+        return $this->authToken;
+    }
 }
diff --git a/src/Magento/FunctionalTestingFramework/Module/MagentoWebDriver.php b/src/Magento/FunctionalTestingFramework/Module/MagentoWebDriver.php
@@ -482,17 +482,20 @@ public function magentoCLI($command, $arguments = null)
         );
         $apiURL = $baseUrl . '/' . ltrim(getenv('MAGENTO_CLI_COMMAND_PATH'), '/');
 
+        $restExecutor = new WebapiExecutor();
         $executor = new CurlTransport();
         $executor->write(
             $apiURL,
             [
+                'token' => $restExecutor->getAuthToken(),
                 getenv('MAGENTO_CLI_COMMAND_PARAMETER') => $command,
                 'arguments' => $arguments
             ],
             CurlInterface::POST,
             []
         );
         $response = $executor->read();
+        $restExecutor->close();
         $executor->close();
         return $response;
     }
