ACP2E-1776: Creating customer(-s) via Async REST API ignores group_id

Author: AnujNehra

app/code/Magento/Customer/Plugin/AsyncRequestCustomerGroupAuthorization.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Customer\Plugin;
+
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\AsynchronousOperations\Model\MassSchedule;
+
+/**
+ * Plugin to validate anonymous request for asynchronous operations containing group id.
+ */
+class AsyncRequestCustomerGroupAuthorization
+{
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Customer::manage';
+
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     *
+     * @param AuthorizationInterface|null $authorization
+     */
+    public function __construct(
+        AuthorizationInterface $authorization = null
+    ) {
+        $objectManager = ObjectManager::getInstance();
+        $this->authorization = $authorization ?? $objectManager->get(AuthorizationInterface::class);
+    }
+
+    /**
+     * Validate groupId for anonymous request
+     *
+     * @param MassSchedule $massSchedule
+     * @param string $topic
+     * @param array $entitiesArray
+     * @param string|null $groupId
+     * @param string|null $userId
+     * @return void
+     * @throws AuthorizationException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforePublishMass(
+        MassSchedule $massSchedule,
+        string       $topic,
+        array        $entitiesArray,
+        string       $groupId = null,
+        string       $userId = null
+    ): void {
+        foreach ($entitiesArray as $entityParams) {
+            foreach ($entityParams as $entity) {
+                if ($entity instanceof CustomerInterface) {
+                    $groupId = $entity->getGroupId();
+                    if (isset($groupId) && !$this->authorization->isAllowed(self::ADMIN_RESOURCE)) {
+                        $params = ['resources' => self::ADMIN_RESOURCE];
+                        throw new AuthorizationException(
+                            __("The consumer isn't authorized to access %resources.", $params)
+                        );
+                    }
+                }
+            }
+        }
+    }
+}

app/code/Magento/Customer/Test/Plugin/AsyncRequestCustomerGroupAuthorizationTest.php

@@ -0,0 +1,112 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Test\Plugin;
+
+use Magento\AsynchronousOperations\Model\MassSchedule;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Framework\Authorization;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Customer\Plugin\AsyncRequestCustomerGroupAuthorization;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Test for validating anonymous request for asynchronous operations containing group id.
+ */
+class AsyncRequestCustomerGroupAuthorizationTest extends TestCase
+{
+    /**
+     * @var Authorization|MockObject
+     */
+    private $authorizationMock;
+
+    /**
+     * @var AsyncRequestCustomerGroupAuthorization
+     */
+    private $plugin;
+
+    /**
+     * @var MassSchedule|MockObject
+     */
+    private $massScheduleMock;
+
+    /**
+     * @var CustomerRepositoryInterface|MockObject
+     */
+    private $customerRepository;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        $objectManager = new ObjectManager($this);
+        $this->authorizationMock = $this->createMock(Authorization::class);
+        $this->plugin = $objectManager->getObject(AsyncRequestCustomerGroupAuthorization::class, [
+            'authorization' => $this->authorizationMock
+        ]);
+        $this->massScheduleMock = $this->createMock(MassSchedule::class);
+        $this->customerRepository = $this->getMockForAbstractClass(CustomerRepositoryInterface::class);
+    }
+
+    /**
+     * Verify that only authorized request will be able to change groupId
+     *
+     * @param int $groupId
+     * @param int $customerId
+     * @param bool $isAllowed
+     * @param int $willThrowException
+     * @return void
+     * @throws AuthorizationException
+     * @dataProvider customerDataProvider
+     */
+    public function testBeforePublishMass(
+        int $groupId,
+        int $customerId,
+        bool $isAllowed,
+        int $willThrowException
+    ): void {
+        if ($willThrowException) {
+            $this->expectException(AuthorizationException::class);
+        } else {
+            $this->expectNotToPerformAssertions();
+        }
+        $customer = $this->getMockForAbstractClass(CustomerInterface::class);
+        $customer->method('getGroupId')->willReturn($groupId);
+        $customer->method('getId')->willReturn($customerId);
+        $this->customerRepository->method('getById')->with($customerId)->willReturn($customer);
+        $entitiesArray = [
+            [$customer, 'Password1', '']
+        ];
+        $this->authorizationMock
+            ->expects($this->once())
+            ->method('isAllowed')
+            ->with('Magento_Customer::manage')
+            ->willReturn($isAllowed);
+        $this->plugin->beforePublishMass(
+            $this->massScheduleMock,
+            'async.magento.customer.api.accountmanagementinterface.createaccount.post',
+            $entitiesArray,
+            '',
+            ''
+        );
+    }
+
+    /**
+     * @return array
+     */
+    public function customerDataProvider(): array
+    {
+        return [
+            [3, 1, false, 1],
+            [3, 1, true, 0]
+        ];
+    }
+}