Merge pull request #456 from magento-performance/CABPI-324

Cabpi 324. Org check with new endpoint

Author: andimov

app/code/Magento/AdminAdobeIms/Controller/Adminhtml/OAuth/ImsCallback.php

@@ -102,14 +102,15 @@ public function execute(): Redirect
             $tokenResponse = $this->adminImsConnection->getTokenResponse($code);
             $accessToken = $tokenResponse->getAccessToken();
 
-            //check organization assignment
-            $this->adminOrganizationService->checkOrganizationAllocation($accessToken);
-
             //get profile info to check email
             $profile = $this->adminImsConnection->getProfile($accessToken);
             if (empty($profile['email'])) {
                 throw new AuthenticationException(__('An authentication error occurred. Verify and try again.'));
             }
+
+            //check membership in organization
+            $this->adminOrganizationService->checkOrganizationMembership($accessToken);
+
             $this->adminLoginProcessService->execute($tokenResponse, $profile);
         } catch (AdobeImsAuthorizationException $e) {
             $this->logger->error($e->getMessage());

app/code/Magento/AdminAdobeIms/Controller/Adminhtml/OAuth/ImsReauthCallback.php

@@ -118,14 +118,16 @@ public function execute(): ResultInterface
             }
 
             $tokenResponse = $this->adminImsConnection->getTokenResponse($code);
+            $accessToken = $tokenResponse->getAccessToken();
 
-            $profile = $this->adminImsConnection->getProfile($tokenResponse->getAccessToken());
+            $profile = $this->adminImsConnection->getProfile($accessToken);
             if (empty($profile['email'])) {
                 throw new AuthenticationException(__('An authentication error occurred. Verify and try again.'));
             }
 
-            $accessToken = $tokenResponse->getAccessToken();
-            $this->adminOrganizationService->checkOrganizationAllocation($accessToken);
+            //check membership in organization
+            $this->adminOrganizationService->checkOrganizationMembership($accessToken);
+
             $this->adminReauthProcessService->execute($tokenResponse);
 
             $response = sprintf(

app/code/Magento/AdminAdobeIms/Service/ImsConfig.php

@@ -34,6 +34,7 @@ class ImsConfig extends Config
     public const XML_PATH_ADMIN_AUTH_URL_PATTERN = 'adobe_ims/integration/admin/auth_url_pattern';
     public const XML_PATH_ADMIN_REAUTH_URL_PATTERN = 'adobe_ims/integration/admin/reauth_url_pattern';
     public const XML_PATH_ADMIN_ADOBE_IMS_SCOPES = 'adobe_ims/integration/admin/scopes';
+    public const XML_PATH_ORGANIZATION_MEMBERSHIP_URL = 'adobe_ims/integration/organization_membership_url';
 
     private const OAUTH_CALLBACK_URL = 'adobe_ims_auth/oauth/';
 
@@ -376,4 +377,19 @@ public function getCertificateUrl(string $fileName): string
     {
         return $this->scopeConfig->getValue(self::XML_PATH_CERTIFICATE_PATH) . $fileName;
     }
+
+    /**
+     * Get url to check organization membership
+     *
+     * @param string $orgId
+     * @return string
+     */
+    public function getOrganizationMembershipUrl(string $orgId): string
+    {
+        return str_replace(
+            ['#{org_id}'],
+            [$orgId],
+            $this->scopeConfig->getValue(self::XML_PATH_ORGANIZATION_MEMBERSHIP_URL)
+        );
+    }
 }

app/code/Magento/AdminAdobeIms/Service/ImsOrganizationService.php

@@ -9,6 +9,7 @@
 namespace Magento\AdminAdobeIms\Service;
 
 use Magento\AdminAdobeIms\Exception\AdobeImsOrganizationAuthorizationException;
+use Magento\Framework\HTTP\Client\CurlFactory;
 
 class ImsOrganizationService
 {
@@ -17,33 +18,68 @@ class ImsOrganizationService
      */
     private ImsConfig $adminImsConfig;
 
+    /**
+     * @var CurlFactory
+     */
+    private CurlFactory $curlFactory;
+
     /**
      * @param ImsConfig $adminImsConfig
+     * @param CurlFactory $curlFactory
      */
     public function __construct(
-        ImsConfig $adminImsConfig
+        ImsConfig $adminImsConfig,
+        CurlFactory $curlFactory
     ) {
         $this->adminImsConfig = $adminImsConfig;
+        $this->curlFactory = $curlFactory;
     }
 
     /**
-     * Check if user is assigned to organization
+     * Check if user is a member of Adobe Organization
      *
-     * @param string $token
-     * @return bool
+     * @param string $access_token
+     * @return void
      * @throws AdobeImsOrganizationAuthorizationException
      */
-    public function checkOrganizationAllocation(string $token): bool
+    public function checkOrganizationMembership(string $access_token): void
     {
-        $configuredOrganization = $this->adminImsConfig->getOrganizationId();
+        $configuredOrganizationId = $this->adminImsConfig->getOrganizationId();
 
-        //@TODO CABPI-324: Change Org check to use new endpoint
-        if ($configuredOrganization === '' || !$token) {
+        if ($configuredOrganizationId === '' || !$access_token) {
             throw new AdobeImsOrganizationAuthorizationException(
-                __('User is not assigned to defined organization.')
+                __('Can\'t check user membership in organization.')
             );
         }
 
-        return true;
+        try {
+            $curl = $this->curlFactory->create();
+
+            $curl->addHeader('Content-Type', 'application/x-www-form-urlencoded');
+            $curl->addHeader('cache-control', 'no-cache');
+            $curl->addHeader('Authorization', 'Bearer ' . $access_token);
+
+            $orgCheckUrl = $this->adminImsConfig->getOrganizationMembershipUrl($configuredOrganizationId);
+            $curl->get($orgCheckUrl);
+
+            if ($curl->getBody() === '') {
+                throw new AdobeImsOrganizationAuthorizationException(
+                    __('Could not check Organization Membership. Response is empty.')
+                );
+            }
+
+            $response = $curl->getBody();
+
+            if ($response !== 'true') {
+                throw new AdobeImsOrganizationAuthorizationException(
+                    __('User is not a member of configured Adobe Organization.')
+                );
+            }
+
+        } catch (\Exception $exception) {
+            throw new AdobeImsOrganizationAuthorizationException(
+                __('Organization Membership check can\'t be performed')
+            );
+        }
     }
 }

app/code/Magento/AdminAdobeIms/Test/Unit/Service/ImsOrganizationServiceTest.php

@@ -43,27 +43,15 @@ protected function setUp(): void
         );
     }
 
-    public function testCheckOrganizationAllocationReturnsTrueWhenProfileAssignedToOrg()
-    {
-        $this->adminImsConfigMock
-            ->method('getOrganizationId')
-            ->willReturn(self::VALID_ORGANIZATION_ID);
-
-        $this->assertEquals(
-            true,
-            $this->imsOrganizationService->checkOrganizationAllocation('my_token')
-        );
-    }
-
-    public function testCheckOrganizationAllocationThrowsExceptionWhenProfileNotAssignedToOrg()
+    public function testCheckOrganizationMembershipThrowsExceptionWhenProfileNotAssignedToOrg()
     {
         $this->adminImsConfigMock
             ->method('getOrganizationId')
             ->willReturn('');
 
         $this->expectException(AdobeImsOrganizationAuthorizationException::class);
-        $this->expectExceptionMessage('User is not assigned to defined organization.');
+        $this->expectExceptionMessage('Can\'t check user membership in organization.');
 
-        $this->imsOrganizationService->checkOrganizationAllocation('my_token');
+        $this->imsOrganizationService->checkOrganizationMembership('my_token');
     }
 }

app/code/Magento/AdminAdobeIms/etc/config.xml

@@ -18,13 +18,15 @@
                         <openid>openid</openid>
                         <email>email</email>
                         <profile>profile</profile>
+                        <org.read>org.read</org.read>
                     </scopes>
                 </admin>
                 <logging_enabled>0</logging_enabled>
                 <organization_id backend_model="Magento\Config\Model\Config\Backend\Encrypted"/>
                 <auth_url_pattern><![CDATA[https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=#{client_id}&amp;redirect_uri=#{redirect_uri}&amp;locale=#{locale}&amp;scope=openid,creative_sdk,email,profile&amp;response_type=code]]></auth_url_pattern>
                 <token_url>https://ims-na1.adobelogin.com/ims/token</token_url>
                 <profile_url><![CDATA[https://ims-na1.adobelogin.com/ims/profile/v1?client_id=#{client_id}]]></profile_url>
+                <organization_membership_url><![CDATA[https://graph.identity.adobe.com/#{org_id}@AdobeOrg/membership]]></organization_membership_url>
                 <logout_url><![CDATA[https://ims-na1.adobelogin.com/ims/logout/v1?access_token=#{access_token}&amp;client_id=#{client_id}&amp;client_secret=#{client_secret}]]></logout_url>
                 <certificate_path><![CDATA[https://static.adobelogin.com/keys/prod/]]></certificate_path>
                 <validate_token_url><![CDATA[https://ims-na1.adobelogin.com/ims/validate_token/v1?token=#{token}&client_id=#{client_id}&type=#{token_type}]]></validate_token_url>