MAGETWO-50611: [Github][Security] WebAPIs allow anonymous access

- Revised README
- Added config file to define default value of checkbox.
- Changed location of checkbox in backend.
- Changed text of label.

Author: Hayder Sharhan

app/code/Magento/Store/etc/webapi.xml

@@ -11,31 +11,31 @@
     <route url="/V1/store/storeViews" method="GET">
         <service class="Magento\Store\Api\StoreRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="Magento_Backend::admin"/>
+            <resource ref="Magento_Backend::store"/>
         </resources>
     </route>
 
     <!-- Store Groups-->
     <route url="/V1/store/storeGroups" method="GET">
         <service class="Magento\Store\Api\GroupRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="Magento_Backend::admin"/>
+            <resource ref="Magento_Backend::store"/>
         </resources>
     </route>
 
     <!-- Website -->
     <route url="/V1/store/websites" method="GET">
         <service class="Magento\Store\Api\WebsiteRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="Magento_Backend::admin"/>
+            <resource ref="Magento_Backend::store"/>
         </resources>
     </route>
 
     <!-- Store Config -->
     <route url="/V1/store/storeConfigs" method="GET">
         <service class="Magento\Store\Api\StoreConfigManagerInterface" method="getStoreConfigs"/>
         <resources>
-            <resource ref="Magento_Backend::admin"/>
+            <resource ref="Magento_Backend::store"/>
         </resources>
     </route>
 </routes>

app/code/Magento/WebapiSecurity/Model/Plugin/AnonymousResourceSecurity.php

@@ -9,38 +9,41 @@
 
 class AnonymousResourceSecurity
 {
-    const XML_ALLOW_INSECURE = 'system/webapisecurity/allow_insecure';
+    const XML_ALLOW_INSECURE = 'webapi/webapisecurity/allow_insecure';
 
     /**
-     * @var \Magento\Backend\App\ConfigInterface
+     * @var \Magento\Framework\App\Config\ReinitableConfigInterface
      */
-    protected $backendConfig;
+    protected $config;
 
     /**
-     * @var string
+     * @var array
      */
     protected $resources;
 
     /**
      * AnonymousResourceSecurity constructor.
      *
-     * @param \Magento\Backend\App\ConfigInterface $backendConfig
-     * @param $resources
+     * @param \Magento\Framework\App\Config\ReinitableConfigInterface $config
+     * @param array $resources
      */
-    public function __construct(\Magento\Backend\App\ConfigInterface $backendConfig, $resources)
+    public function __construct(\Magento\Framework\App\Config\ReinitableConfigInterface $config, $resources)
     {
-        $this->backendConfig = $backendConfig;
+        $this->config = $config;
         $this->resources = $resources;
     }
 
-    public function afterConvert(
-        Converter $subject,
-        $nodes
-    ) {
+    /**
+     * @param Converter $subject
+     * @param array $nodes
+     * @return array
+     */
+    public function afterConvert(Converter $subject, $nodes)
+    {
         if (empty($nodes)) {
             return $nodes;
         }
-        $useInsecure = $this->backendConfig->isSetFlag(self::XML_ALLOW_INSECURE);
+        $useInsecure = $this->config->getValue(self::XML_ALLOW_INSECURE);
         if ($useInsecure) {
             foreach ($this->resources as $route => $requestType) {
                 if ($result = $this->getNode($route, $requestType, $nodes["routes"])) {
@@ -63,6 +66,12 @@ public function afterConvert(
         return $nodes;
     }
 
+    /**
+     * @param string $route
+     * @param string $requestType
+     * @param array $source
+     * @return array|null
+     */
     private function getNode($route, $requestType, $source)
     {
         if (isset($source[$route][$requestType])) {

app/code/Magento/WebapiSecurity/Model/Plugin/CacheInvalidator.php

@@ -22,12 +22,19 @@ public function __construct(\Magento\Framework\App\Cache\TypeListInterface $cach
         $this->cacheTypeList = $cacheTypeList;
     }
 
+    /**
+     * @param \Magento\Framework\App\Config\Value $subject
+     * @param \Magento\Framework\App\Config\Value $result
+     *
+     * @return \Magento\Framework\App\Config\Value
+     */
     public function afterAfterSave(
         \Magento\Framework\App\Config\Value $subject,
-        $result
-    )
-    {
-        if ($result->getPath() == "system/webapisecurity/allow_insecure" && $result->isValueChanged()) {
+        \Magento\Framework\App\Config\Value $result
+    ) {
+        if ($result->getPath() == \Magento\WebapiSecurity\Model\Plugin\AnonymousResourceSecurity::XML_ALLOW_INSECURE
+            && $result->isValueChanged()
+        ) {
             $this->cacheTypeList->invalidate(\Magento\Webapi\Model\Cache\Type\Webapi::TYPE_IDENTIFIER);
         }
 

app/code/Magento/WebapiSecurity/README.md

@@ -1,5 +1,6 @@
 # WebapiSecurity
 
-**WebapiSecurity** enables access management of some webapi resources.
-Allowing them to be accessed by anyone. These resources are outlined in di.xml
-If anonymous access checkbox is enabled in backend, these resources' security is loosened.
+**WebapiSecurity** enables access management of some Web API resources.
+If checkbox is enabled in backend through: Stores -> Configuration -> Services -> Magento Web API -> Web Api Security
+then the security of all of the services outlined in app/code/Magento/WebapiSecurity/etc/di.xml would be loosened. You may modify these services to customize.
+By loosening the security, these services would allow access anonymously (by anyone).

app/code/Magento/WebapiSecurity/etc/Adminhtml/system.xml

@@ -5,13 +5,13 @@
   -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
     <system>
-        <section id="system">
+        <section id="webapi" translate="label" type="text" sortOrder="102" showInDefault="1" showInWebsite="1" showInStore="1">
             <group id="webapisecurity" translate="label" type="text" sortOrder="250" showInDefault="1" showInWebsite="0" showInStore="0">
-                <label>Webapi Security</label>
+                <label>Web API Security</label>
                 <field id="allow_insecure" translate="label" type="select" sortOrder="1" showInDefault="1" showInWebsite="0" showInStore="0">
-                    <label>Allow insecure anonymous access for some CMS, Catalog and Store services</label>
+                    <label>Allow insecure anonymous access</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
-                    <comment>Full list can be viewed at Magento/app/code/Magento/WebapiSecurity/etc/di.xml</comment>
+                    <comment>Anonymous access would be provided for some CMS, Catalog and Store services</comment>
                 </field>
             </group>
         </section>

app/code/Magento/WebapiSecurity/etc/config.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
+    <default>
+        <webapi>
+            <webapisecurity>
+                <allow_insecure>0</allow_insecure>
+            </webapisecurity>
+        </webapi>
+    </default>
+</config>

composer.json

@@ -172,6 +172,7 @@
         "magento/module-vault": "100.0.2",
         "magento/module-version": "100.0.2",
         "magento/module-webapi": "100.0.2",
+        "magento/module-webapisecurity": "100.0.2",
         "magento/module-weee": "100.0.2",
         "magento/module-widget": "100.0.2",
         "magento/module-wishlist": "100.0.2",