From fe2feaec0218bf975c9e057677a63bd119f611f3 Mon Sep 17 00:00:00 2001 From: Ji Lu Date: Fri, 7 Dec 2018 10:10:00 -0600 Subject: [PATCH 1/2] MQE-1354: bug fix in command.php --- etc/config/command.php | 57 ++++++++++++------- .../Persist/Curl/WebapiExecutor.php | 27 +++++++-- .../Module/MagentoWebDriver.php | 3 + 3 files changed, 62 insertions(+), 25 deletions(-) diff --git a/etc/config/command.php b/etc/config/command.php index b24bafd31..55b9fd1e9 100644 --- a/etc/config/command.php +++ b/etc/config/command.php @@ -4,34 +4,51 @@ * See COPYING.txt for license details. */ -if (isset($_POST['command'])) { +require_once __DIR__ . '/../../../../app/bootstrap.php'; + +if (isset($_POST['token']) && isset($_POST['command'])) { + $magentoObjectManagerFactory = \Magento\Framework\App\Bootstrap::createObjectManagerFactory(BP, $_SERVER); + $magentoObjectManager = $magentoObjectManagerFactory->create($_SERVER); + $tokenModel = $magentoObjectManager->get(\Magento\Integration\Model\Oauth\Token::class); + + $tokenPassedIn = urldecode($_POST['token']); $command = urldecode($_POST['command']); + if (array_key_exists("arguments", $_POST)) { - $arguments = urldecode($_POST['arguments']); + $arguments = escapeshellarg(urldecode($_POST['arguments'])); } else { $arguments = null; } - $php = PHP_BINDIR ? PHP_BINDIR . '/php' : 'php'; - $valid = validateCommand($command); - if ($valid) { - exec( - escapeCommand($php . ' -f ../../../../bin/magento ' . $command) . " $arguments" ." 2>&1", - $output, - $exitCode - ); - if ($exitCode == 0) { - http_response_code(202); + + // Token returned will be null if the token we passed in is invalid + $tokenFromMagento = $tokenModel->loadByToken($tokenPassedIn)->getToken(); + if (!empty($tokenFromMagento) && ($tokenFromMagento == $tokenPassedIn)) { + $php = PHP_BINDIR ? PHP_BINDIR . '/php' : 'php'; + $magentoBinary = $php . ' -f ../../../../bin/magento'; + $valid = validateCommand($magentoBinary, $command); + if ($valid) { + exec( + escapeCommand($magentoBinary . " $command" . " $arguments") . " 2>&1", + $output, + $exitCode + ); + if ($exitCode == 0) { + http_response_code(202); + } else { + http_response_code(500); + } + echo implode("\n", $output); } else { - http_response_code(500); + http_response_code(403); + echo "Given command not found valid in Magento CLI Command list."; } - echo implode("\n", $output); } else { - http_response_code(403); - echo "Given command not found valid in Magento CLI Command list."; + http_response_code(401); + echo("Command not unauthorized."); } } else { http_response_code(412); - echo("Command parameter is not set."); + echo("Required parameters are not set."); } /** @@ -55,13 +72,13 @@ function escapeCommand($command) /** * Checks magento list of CLI commands for given $command. Does not check command parameters, just base command. + * @param string $magentoBinary * @param string $command * @return bool */ -function validateCommand($command) +function validateCommand($magentoBinary, $command) { - $php = PHP_BINDIR ? PHP_BINDIR . '/php' : 'php'; - exec($php . ' -f ../../../../bin/magento list', $commandList); + exec($magentoBinary . ' list', $commandList); // Trim list of commands after first whitespace $commandList = array_map("trimAfterWhitespace", $commandList); return in_array(trimAfterWhitespace($command), $commandList); diff --git a/src/Magento/FunctionalTestingFramework/DataGenerator/Persist/Curl/WebapiExecutor.php b/src/Magento/FunctionalTestingFramework/DataGenerator/Persist/Curl/WebapiExecutor.php index 16fef75f2..8b887beef 100644 --- a/src/Magento/FunctionalTestingFramework/DataGenerator/Persist/Curl/WebapiExecutor.php +++ b/src/Magento/FunctionalTestingFramework/DataGenerator/Persist/Curl/WebapiExecutor.php @@ -51,6 +51,13 @@ class WebapiExecutor extends AbstractExecutor implements CurlInterface */ private $storeCode; + /** + * Admin user auth token. + * + * @var string + */ + private $authToken; + /** * WebapiExecutor Constructor. * @@ -64,12 +71,13 @@ public function __construct($storeCode = null) } $this->storeCode = $storeCode; + $this->authToken = null; $this->transport = new CurlTransport(); $this->authorize(); } /** - * Returns the authorization token needed for some requests via REST call. + * Acquire and store the authorization token needed for REST requests. * * @return void * @throws TestFrameworkException @@ -83,10 +91,8 @@ protected function authorize() ]; $this->transport->write($authUrl, json_encode($authCreds), CurlInterface::POST, $this->headers); - $this->headers = array_merge( - ['Authorization: Bearer ' . str_replace('"', "", $this->read())], - $this->headers - ); + $this->authToken = str_replace('"', "", $this->read()); + $this->headers = array_merge(['Authorization: Bearer ' . $this->authToken], $this->headers); } /** @@ -159,4 +165,15 @@ public function getFormattedUrl($resource) $urlResult.= trim($resource, "/"); return $urlResult; } + + /** + * Return admin auth token. + * + * @throws TestFrameworkException + * @return string + */ + public function getAuthToken() + { + return $this->authToken; + } } diff --git a/src/Magento/FunctionalTestingFramework/Module/MagentoWebDriver.php b/src/Magento/FunctionalTestingFramework/Module/MagentoWebDriver.php index 452a40bde..a15ed757e 100644 --- a/src/Magento/FunctionalTestingFramework/Module/MagentoWebDriver.php +++ b/src/Magento/FunctionalTestingFramework/Module/MagentoWebDriver.php @@ -482,10 +482,12 @@ public function magentoCLI($command, $arguments = null) ); $apiURL = $baseUrl . '/' . ltrim(getenv('MAGENTO_CLI_COMMAND_PATH'), '/'); + $restExecutor = new WebapiExecutor(); $executor = new CurlTransport(); $executor->write( $apiURL, [ + 'token' => $restExecutor->getAuthToken(), getenv('MAGENTO_CLI_COMMAND_PARAMETER') => $command, 'arguments' => $arguments ], @@ -493,6 +495,7 @@ public function magentoCLI($command, $arguments = null) [] ); $response = $executor->read(); + $restExecutor->close(); $executor->close(); return $response; } From 092634a73106939b02e2b2ccc4c4c787aef8becc Mon Sep 17 00:00:00 2001 From: Ji Lu Date: Wed, 12 Dec 2018 14:56:09 -0600 Subject: [PATCH 2/2] MQE-1354: bug fix in command.php --- etc/config/command.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/config/command.php b/etc/config/command.php index 55b9fd1e9..600025cf4 100644 --- a/etc/config/command.php +++ b/etc/config/command.php @@ -6,7 +6,7 @@ require_once __DIR__ . '/../../../../app/bootstrap.php'; -if (isset($_POST['token']) && isset($_POST['command'])) { +if (!empty($_POST['token']) && !empty($_POST['command'])) { $magentoObjectManagerFactory = \Magento\Framework\App\Bootstrap::createObjectManagerFactory(BP, $_SERVER); $magentoObjectManager = $magentoObjectManagerFactory->create($_SERVER); $tokenModel = $magentoObjectManager->get(\Magento\Integration\Model\Oauth\Token::class); @@ -14,8 +14,8 @@ $tokenPassedIn = urldecode($_POST['token']); $command = urldecode($_POST['command']); - if (array_key_exists("arguments", $_POST)) { - $arguments = escapeshellarg(urldecode($_POST['arguments'])); + if (!empty($_POST['arguments'])) { + $arguments = urldecode($_POST['arguments']); } else { $arguments = null; }