Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/2.4-develop' into release_sync_a…
Browse files Browse the repository at this point in the history 
…c3125
  • Loading branch information
@glo71317
glo71317 committed May 28, 2022
2 parents e9a959a + 8f6585a commit 492f3a0
Show file tree
Hide file tree
Showing 281 changed files with 3,139 additions and 1,156 deletions.
7 changes: 4 additions & 3 deletions app/code/Magento/AdminAdobeIms/Console/Command/AdminAdobeImsEnableCommand.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ class AdminAdobeImsEnableCommand extends Command
/**
* Name of "two-factor-auth" input option
*/
private const TWO_FACTOR_AUTH_ARGUMENT = '2fa-auth';
private const TWO_FACTOR_AUTH_ARGUMENT = '2fa';

/**
* @var ImsConfig
Expand Down Expand Up @@ -119,7 +119,8 @@ public function __construct(
self::TWO_FACTOR_AUTH_ARGUMENT,
't',
InputOption::VALUE_OPTIONAL,
'Check if 2FA Auth is enabled on Adobe IMS Side. Enables or disables the Magento 2FA'
'Check if 2FA is enabled for Organization in Adobe Admin Console. ' .
'Required when enabling the module'
)
]);
}
Expand Down Expand Up @@ -169,7 +170,7 @@ protected function execute(InputInterface $input, OutputInterface $output): ?int
}

throw new LocalizedException(
__('The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
__('The Client ID, Client Secret, Organization ID and 2FA are required ' .
'when enabling the Admin Adobe IMS Module')
);
} catch (\Exception $e) {
Expand Down
48 changes: 21 additions & 27 deletions app/code/Magento/AdminAdobeIms/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
# Magento_Admin_Adobe_Ims module

The Magento_Admin_Adobe_Ims module contains integration with Adobe IMS for backend authentication.

For information about module installation in Magento 2, see [Enable or disable modules](https://devdocs.magento.com/guides/v2.4/install-gde/install/cli/install-cli-subcommands-enable.html).

# CLI command usage:
## bin/magento admin:adobe-ims:enable
Enables the AdminAdobeIMS Module. \
Required values are `Organization ID`, `Client ID` and `Client Secret`
Required values are `Organization ID`, `Client ID`, `Client Secret` and `2FA enabled`

### Argument Validation
On enabling the AdminAdobeIMS Module, the input arguments will be validated. \
Expand All @@ -19,6 +18,7 @@ The pattern for the validation are configured in the di.xml
<argument name="organizationIdRegex" xsi:type="string"><![CDATA[/^([A-Z0-9]{24})(@AdobeOrg)?$/i]]></argument>
<argument name="clientIdRegex" xsi:type="string"><![CDATA[/[^a-z_\-0-9]/i]]></argument>
<argument name="clientSecretRegex" xsi:type="string"><![CDATA[/[^a-z_\-0-9]/i]]></argument>
<argument name="twoFactorAuthRegex" xsi:type="string"><![CDATA[/^y/i]]></argument>
</arguments>
</type>
```
Expand All @@ -27,6 +27,7 @@ We check if the arguments are not empty, as they are all required.

For the Organization ID, Client ID and Client Secret, we check if they contain only alphanumeric characters. \
Additionally for the Organization ID, we check if it matches 24 characters and optional has the suffix `@AdobeOrg`. But we only store the ID and ignore the suffix.
Also make sure 2FA is enabled for the Organization in Adobe Admin Console.

## bin/magento admin:adobe-ims:disable
Disables the AdminAdobeIMS Module.
Expand All @@ -44,7 +45,6 @@ Client Secret configured
If Admin Adobe Ims module is disabled, cli command will show message "Module is disabled"

# Admin Login design

The admin login design changes when the AdminAdobeIms module is enabled and configured correctly via the CLI command.
We have added the customer layout handle `adobe_ims_login` to deal with all the design changes.
This handle is added via `\Magento\AdminAdobeIms\Plugin\AddAdobeImsLayoutHandlePlugin::afterAddDefaultHandle`.
Expand All @@ -59,24 +59,21 @@ We have included the minified css and the used svgs from Spectrum CSS with our m
To rebuild the minified css run the command `./node_modules/.bin/postcss -o dist/index.min.css index.css` after npm install from inside the web directory.

# AdminAdobeIMS Callback

For the AdobeIMS Login we provide a redirect_uri on the request. After a successful Login in AdobeIMS, we get redirected to provided redirect_uri.

In the ImsCallback Controller we get the access_token and then the user profile.
We then check if the assigned organization is valid and if the user does exist in the magento database, before we complete the user login in Magento.
We then check if the assigned organization is valid and if the user does exist in the Magento database, before we complete the user login in Magento.

If there went something wrong during the authorization, the user gets redirected to the admin login page and an error message is shown.

# Organization ID Validation

During the authorization we check if the configured `Organization ID` provided on the enabling CLI command is assigned to the user.

In the profile response from Adobe IMS must be a `roles` array. There we have all assigned organizations to the user.

We compare if the configured organization ID does exist in this array and also the structure of the organization ID is valid.

# Admin Backend Login

Login with the help Adobe IMS Service is implemented. The redirect to Adobe IMS Service is performed-
The redirect from Adobe IMS is done to \Magento\AdminAdobeIms\Controller\Adminhtml\OAuth\ImsCallback controller.

Expand All @@ -97,14 +94,12 @@ If token is valid, value token_last_check_time will be updated to current time a
If token is not valid, session will be destroyed.

# Admin Backend Logout

The logout from Adobe IMS Service is performed when Magento Admin User is logged out.
It's triggered by the event `controller_action_predispatch_adminhtml_auth_logout`

We do external LogOut by call to IMS. Session revoke is standard magento behavior
We do external LogOut by call to IMS. Session revoke is standard Magento behavior

# Admin Created Email

We created an Observer for the `admin_user_save_after` event. \
There we check if the customer object is newly created or not. \
When a new admin user got created in Magento, he will then receive an email with further information on how to login.
Expand All @@ -117,11 +112,11 @@ The notification mail will be sent inside our `AdminNotificationService` where w
# Error Handling
For the AdminAdobeIms Module we have two specific error messages and one general error message which are shown on the Admin Login page when an error occured.

###AdobeImsTokenAuthorizationException
### AdobeImsTokenAuthorizationException
Will be thrown when there was an error during the authorization. \
e. g. a call to AdobeIMS fails or there was no matching admin found in the magento database.
e. g. a call to AdobeIMS fails or there was no matching admin found in the Magento database.

###AdobeImsOrganizationAuthorizationException
### AdobeImsOrganizationAuthorizationException
Will be thrown when the admin user who wants to log in does not have the configured organization ID assigned to his AdobeIMS Profile.

### Error logging
Expand All @@ -133,28 +128,28 @@ Logging can be enabled or disabled in the config on changing the value for `adob
There you can switch the toggle for `Enable Logging for Admin Adobe IMS Module`

# Password usage in Admin UI
When the AdobeAdminIMS Module is enabled, we do not need any password fields in the magento admin backend anymore.
When the AdobeAdminIMS Module is enabled, we do not need any password fields in the Magento admin backend anymore.

So we hide the "Current User Verification" fields and removed the "Password" and "Password Confirmation" fields of the user forms.
This is done by the Plugin `\Magento\AdminAdobeIms\Plugin\RemovePasswordAndUserConfirmationFormFieldsPlugin`.
Here we remove the password and password confirmation field, and hide the current user verification fieldset.
So we removed the "Password" and "Password Confirmation" fields of the user forms.
This is done by the plugin `\Magento\AdminAdobeIms\Plugin\RemovePasswordAndUserConfirmationFormFieldsPlugin`.
Here we remove the password and password confirmation field.
As the verification field is just hidden, we set a random password to bypass the input filters of the Save and Delete user Classes.
The `\Magento\AdminAdobeIms\Plugin\RemoveUserValidationRulesPlugin` Plugin is required to remove the password fields from the form validation.
The `\Magento\AdminAdobeIms\Plugin\RemoveUserValidationRulesPlugin` plugin is required to remove the password fields from the form validation.
We update the "Current User Identity Verification" fieldset to add "Verify Identity with Adobe IMS" button instead "Your Password" field.
This is done by the plugins: `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\User\Edit\Tab\AddReAuthVerification`, `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\System\Account\Edit\AddReAuthVerification`, `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\User\Role\Tab\AddReAuthVerification` and `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\Integration\Edit\Tab\AddReAuthVerification`.

As we don't show the current user verification field anymore, we have the `\Magento\AdminAdobeIms\Plugin\ReplaceVerifyIdentityWithImsPlugin` Plugin to verify the `access_token` of the current admin user in AdobeIMS and only proceed when it is still valid.
As we update the current user verification field, we have the `\Magento\AdminAdobeIms\Plugin\ReplaceVerifyIdentityWithImsPlugin` plugin to verify the `AdobeReAuthToken` of the current admin user in AdobeIMS and only proceed when it is valid.

For the newly created user will be a random password generated, as we did not modify the admin_user table, where the password field can not be null.
This is done in the `\Magento\AdminAdobeIms\Plugin\UserSavePlugin`.

We also disabled the "Change password in 30 days" functionally, as we don't need the magento admin user password for the login.
We also disabled the "Change password in 30 days" functionally, as we don't need the Magento admin user password for the login.
This can be found in the `\Magento\AdminAdobeIms\Plugin\DisableForcedPasswordChangePlugin` and `\Magento\AdminAdobeIms\Plugin\DisablePasswordResetPlugin` Plugins.

When the AdminAdobeIMS Module is disabled, the user can not be log in when using an empty password.
Instead, the forgot password function must be used to reset the password.


# WEB API authentication using IMS ACCESS_TOKEN

When Admin Adobe IMS is enabled, Adobe Commerce admin users will stop having credentials (username and password).
These admin user credentials are needed for getting token that can be used to make requests to admin web APIs.
It means that will be not possible to create token because admin doesn't have credentials. In these case we have to use IMS access token.
Expand All @@ -177,7 +172,7 @@ Magento has setting: Stores > Settings > Configuration > Services > OAuth > Acce
Both of values are checked in function isTokenExpired \Magento\AdminAdobeIms\Model\TokenReader.
it means that with default values is not possible to use tokens that older than 4h.

###IMS access token verification.
### IMS access token verification.
To verify token a public key is required. For more info https://wiki.corp.adobe.com/display/ims/IMS+public+key+retrieval
In Admin Adobe Ims module was defined path where certificate has to be downloaded from.
By default, in config.xml, these value for production.
Expand All @@ -201,9 +196,8 @@ Examples, how developers can test functionality:
curl -X GET "{domain}/rest/V1/customers/2" -H "Authorization: Bearer AddAdobeImsAccessToken"
curl -X GET "{domain}/rest/V1/products/24-MB01" -H "Authorization: Bearer AddAdobeImsAccessToken"

###Two-factor authentication.

During CLI enablement of the module, the admin user is asked, whether 2FA is enabled for him on Adobe side.
### Two-factor authentication.
During CLI enablement of the module, the admin user is asked, whether 2FA is enabled for Organization in Adobe Admin Console.
If the answer is yes, Magento TFA module (if it's present in the code base), should be disable.

For this purpose the additional config value was added, this config value is read by Magento_TwoFactorAuth module.
Expand All @@ -222,4 +216,4 @@ When the form will be submitted, we verify the identity with the `Magento/AdminA
Here the existens of the `AdobeAccessToken` and `AdobeReAuthToken` will be checked.
The reauth_token will be used to call the AdobeIms validateToken Endpoint.

When this call is successfull, the form will be submitted, otherwise we update the Message of the thrown `AuthenticationException` to return a matching error message, done by the `Magento/AdminAdobeIms/Plugin/PerformIdentityCheckMessagePlugin.php` Plugin.
When this call is successful, the form will be submitted, otherwise we update the Message of the thrown `AuthenticationException` to return a matching error message, done by the `Magento/AdminAdobeIms/Plugin/PerformIdentityCheckMessagePlugin.php` Plugin.
4 changes: 2 additions & 2 deletions app/code/Magento/AdminAdobeIms/Service/ImsCommandOptionService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ class ImsCommandOptionService
private const OPTION_QUESTION = 'Please enter your %s:';

/**
* Prompt for 2FA Auth CLI Command option
* Prompt for 2FA CLI Command option
*/
private const TWO_FACTOR_OPTION_QUESTION = 'Is 2FA enabled on AdobeIMS? (yes/no):';
private const TWO_FACTOR_OPTION_QUESTION = 'Is 2FA enabled for Organization in Adobe Admin Console? (yes/no):';

/**
* Human-readable name for Organization ID input option
Expand Down
2 changes: 1 addition & 1 deletion app/code/Magento/AdminAdobeIms/Service/ImsConfig.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ public function enableModule(
): void {
if (!$isAdobeIms2FAEnabled) {
throw new LocalizedException(
__('2FA Auth is required when enabling the Admin Adobe IMS Module')
__('2FA is required when enabling the Admin Adobe IMS Module')
);
}

Expand Down
6 changes: 3 additions & 3 deletions app/code/Magento/AdminAdobeIms/Test/Mftf/Data/ClientCredentialsData.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
<entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:mftf:DataGenerator/etc/dataProfileSchema.xsd">
<entity name="ClientCredentialsData">
<data key="org_id">{{_CREDS.magento/admin_adobe_ims/org_id}}</data>
<data key="client_id">{{_CREDS.magento/admin_adobe_ims/client_id}}</data>
<data key="client_key">{{_CREDS.magento/admin_adobe_ims/client_key}}</data>
<data key="org_id">{{_CREDS.magento/admin_adobe_ims_org_id}}</data>
<data key="client_id">{{_CREDS.magento/admin_adobe_ims_client_id}}</data>
<data key="client_key">{{_CREDS.magento/admin_adobe_ims_client_key}}</data>
</entity>
</entities>
6 changes: 3 additions & 3 deletions app/code/Magento/AdminAdobeIms/Test/Unit/Command/AdminAdobeImsEnableCommandTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,23 +171,23 @@ public function cliCommandProvider(): array
false,
$this->never(),
$this->never(),
'<error>The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
'<error>The Client ID, Client Secret, Organization ID and 2FA are required ' .
'when enabling the Admin Adobe IMS Module</error>',
true
],
[
true,
$this->never(),
$this->never(),
'<error>The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
'<error>The Client ID, Client Secret, Organization ID and 2FA are required ' .
'when enabling the Admin Adobe IMS Module</error>',
false
],
[
false,
$this->never(),
$this->never(),
'<error>The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
'<error>The Client ID, Client Secret, Organization ID and 2FA are required ' .
'when enabling the Admin Adobe IMS Module</error>',
false
]
Expand Down
65 changes: 58 additions & 7 deletions app/code/Magento/AdminAdobeIms/ViewModel/LinkViewModel.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,56 @@

use Magento\AdminAdobeIms\Model\ImsConnection;
use Magento\Framework\Exception\InvalidArgumentException;
use Magento\Framework\Message\ManagerInterface as MessageManagerInterface;
use Magento\Framework\View\Element\Block\ArgumentInterface;
use Psr\Log\LoggerInterface;

class LinkViewModel implements ArgumentInterface
{
/** @var string */
private string $authUrl;
/**
* @var string|null
*/
private ?string $authUrl;

/**
* @var LoggerInterface
*/
private LoggerInterface $logger;

/**
* @var MessageManagerInterface
*/
private MessageManagerInterface $messageManager;

/**
* @param ImsConnection $connection
* @param LoggerInterface $logger
* @param MessageManagerInterface $messageManager
*/
public function __construct(
ImsConnection $connection
ImsConnection $connection,
LoggerInterface $logger,
MessageManagerInterface $messageManager
) {
$this->logger = $logger;
$this->messageManager = $messageManager;

try {
$this->authUrl = $connection->auth();
} catch (InvalidArgumentException $exception) {
$this->authUrl = '';
} catch (InvalidArgumentException $e) {
$this->logger->error($e->getMessage());
$this->authUrl = null;
$this->addImsErrorMessage(
'Could not connect to Adobe IMS.',
$e->getMessage()
);
} catch (\Exception $e) {
$this->logger->error($e->getMessage());
$this->authUrl = null;
$this->addImsErrorMessage(
'Could not connect to Adobe IMS.',
'Something went wrong during Adobe IMS connection check.'
);
}
}

Expand All @@ -42,10 +75,28 @@ public function isActive(): bool
/**
* Get authorization URL for Login Button
*
* @return string
* @return string|null
*/
public function getButtonLink(): string
public function getButtonLink(): ?string
{
return $this->authUrl;
}

/**
* Add Admin Adobe IMS Error Message
*
* @param string $headline
* @param string $message
* @return void
*/
private function addImsErrorMessage(string $headline, string $message): void
{
$this->messageManager->addComplexErrorMessage(
'adminAdobeImsMessage',
[
'headline' => __($headline)->getText(),
'message' => __($message)->getText()
]
);
}
}
Loading

0 comments on commit 492f3a0

Please sign in to comment.