Merge branch '2.4-develop' of https://github.com/magento-l3/magento2ce into MC-42249

Author: devarul

app/code/Magento/CatalogRuleConfigurable/Plugin/CatalogRule/Model/Indexer/ProductRuleReindex.php

@@ -6,21 +6,22 @@
  */
 namespace Magento\CatalogRuleConfigurable\Plugin\CatalogRule\Model\Indexer;
 
+use Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer;
 use Magento\ConfigurableProduct\Model\Product\Type\Configurable;
 use Magento\CatalogRuleConfigurable\Plugin\CatalogRule\Model\ConfigurableProductsProvider;
 
 /**
- * Class ReindexProduct. Add configurable sub-products to reindex
+ * Add configurable sub-products to reindex
  */
 class ProductRuleReindex
 {
     /**
-     * @var \Magento\ConfigurableProduct\Model\Product\Type\Configurable
+     * @var Configurable
      */
     private $configurable;
 
     /**
-     * @var \Magento\CatalogRuleConfigurable\Plugin\CatalogRule\Model\ConfigurableProductsProvider
+     * @var ConfigurableProductsProvider
      */
     private $configurableProductsProvider;
 
@@ -37,61 +38,47 @@ public function __construct(
     }
 
     /**
-     * @param \Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer $subject
+     * Reindex configurable product with sub-products
+     *
+     * @param ProductRuleIndexer $subject
      * @param \Closure $proceed
      * @param int $id
-     *
      * @return void
      */
-    public function aroundExecuteRow(
-        \Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer $subject,
-        \Closure $proceed,
-        $id
-    ) {
+    public function aroundExecuteRow(ProductRuleIndexer $subject, \Closure $proceed, $id)
+    {
+        $isReindexed = false;
+
         $configurableProductIds = $this->configurableProductsProvider->getIds([$id]);
-        $this->reindexSubProducts($configurableProductIds, $subject);
-        if (!$configurableProductIds) {
-            $proceed($id);
+        if ($configurableProductIds) {
+            $subProducts = array_values($this->configurable->getChildrenIds($id)[0]);
+            if ($subProducts) {
+                $subject->executeList(array_merge([$id], $subProducts));
+                $isReindexed = true;
+            }
         }
-    }
 
-    /**
-     * @param \Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer $subject
-     * @param \Closure $proceed
-     * @param array $ids
-     *
-     * @return void
-     */
-    public function aroundExecuteList(
-        \Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer $subject,
-        \Closure $proceed,
-        array $ids
-    ) {
-        $configurableProductIds = $this->configurableProductsProvider->getIds($ids);
-        $subProducts = $this->reindexSubProducts($configurableProductIds, $subject);
-        $ids = array_diff($ids, $configurableProductIds, $subProducts);
-        if ($ids) {
-            $proceed($ids);
+        if (!$isReindexed) {
+            $proceed($id);
         }
     }
 
     /**
-     * @param array $configurableIds
-     * @param \Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer $subject
+     * Add sub-products to reindex
      *
+     * @param ProductRuleIndexer $subject
+     * @param array $ids
      * @return array
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
-    private function reindexSubProducts(
-        array $configurableIds,
-        \Magento\CatalogRule\Model\Indexer\Product\ProductRuleIndexer $subject
-    ) {
-        $subProducts = [];
-        if ($configurableIds) {
-            $subProducts = array_values($this->configurable->getChildrenIds($configurableIds)[0]);
-            if ($subProducts) {
-                $subject->executeList($subProducts);
-            }
+    public function beforeExecuteList(ProductRuleIndexer $subject, array $ids): array
+    {
+        $configurableProductIds = $this->configurableProductsProvider->getIds($ids);
+        if ($configurableProductIds) {
+            $subProducts = array_values($this->configurable->getChildrenIds($configurableProductIds)[0]);
+            $ids = array_unique(array_merge($ids, $subProducts));
         }
-        return $subProducts;
+
+        return [$ids];
     }
 }

app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php

@@ -18,6 +18,10 @@
  */
 class ReturnUrl extends Payflow implements CsrfAwareActionInterface, HttpGetActionInterface
 {
+    private const ORDER_INCREMENT_ID = 'INVNUM';
+
+    private const SILENT_POST_HASH = 'secure_silent_post_hash';
+
     /**
      * @var array of allowed order states on frontend
      */
@@ -63,30 +67,48 @@ public function execute()
         $this->_view->loadLayout(false);
         /** @var \Magento\Checkout\Block\Onepage\Success $redirectBlock */
         $redirectBlock = $this->_view->getLayout()->getBlock($this->_redirectBlockName);
-
-        if ($this->_checkoutSession->getLastRealOrderId()) {
-            /** @var \Magento\Sales\Model\Order $order */
-            $order = $this->_orderFactory->create()->loadByIncrementId($this->_checkoutSession->getLastRealOrderId());
-
-            if ($order->getIncrementId()) {
-                if ($this->checkOrderState($order)) {
-                    $redirectBlock->setData('goto_success_page', true);
+        $order = $this->getOrderFromRequest();
+        if ($order) {
+            if ($this->checkOrderState($order)) {
+                $redirectBlock->setData('goto_success_page', true);
+            } else {
+                if ($this->checkPaymentMethod($order)) {
+                    $gotoSection = $this->_cancelPayment((string)$this->getRequest()->getParam('RESPMSG'));
+                    $redirectBlock->setData('goto_section', $gotoSection);
+                    $redirectBlock->setData('error_msg', __('Your payment has been declined. Please try again.'));
                 } else {
-                    if ($this->checkPaymentMethod($order)) {
-                        $gotoSection = $this->_cancelPayment((string)$this->getRequest()->getParam('RESPMSG'));
-                        $redirectBlock->setData('goto_section', $gotoSection);
-                        $redirectBlock->setData('error_msg', __('Your payment has been declined. Please try again.'));
-                    } else {
-                        $redirectBlock->setData('goto_section', false);
-                        $redirectBlock->setData('error_msg', __('Requested payment method does not match with order.'));
-                    }
+                    $redirectBlock->setData('goto_section', false);
+                    $redirectBlock->setData('error_msg', __('Requested payment method does not match with order.'));
                 }
             }
         }
 
         $this->_view->renderLayout();
     }
 
+    /**
+     * Returns an order from request.
+     *
+     * @return Order|null
+     */
+    private function getOrderFromRequest(): ?Order
+    {
+        $orderId = $this->getRequest()->getParam(self::ORDER_INCREMENT_ID);
+        if (!$orderId) {
+            return null;
+        }
+
+        $order = $this->_orderFactory->create()->loadByIncrementId($orderId);
+        $storedHash = (string)$order->getPayment()->getAdditionalInformation(self::SILENT_POST_HASH);
+        $requestHash = (string)$this->getRequest()->getParam('USER2');
+        if (empty($storedHash) || empty($requestHash) || !hash_equals($storedHash, $requestHash)) {
+            return null;
+        }
+        $this->_checkoutSession->setLastRealOrderId($orderId);
+
+        return $order;
+    }
+
     /**
      * Check order state
      *

app/code/Magento/Paypal/Plugin/TransparentSessionChecker.php

@@ -20,6 +20,8 @@ class TransparentSessionChecker
      */
     private $disableSessionUrls = [
         'paypal/transparent/redirect',
+        'paypal/payflowadvanced/returnUrl',
+        'paypal/payflow/returnUrl',
         'paypal/hostedpro/return',
     ];
 

app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php

@@ -32,6 +32,8 @@ class ReturnUrlTest extends TestCase
 {
     const LAST_REAL_ORDER_ID = '000000001';
 
+    const SILENT_POST_HASH = 'abcdfg';
+
     /**
      * @var ReturnUrl
      */
@@ -142,7 +144,7 @@ protected function setUp(): void
 
         $this->checkoutSession = $this->getMockBuilder(Session::class)
             ->disableOriginalConstructor()
-            ->setMethods(['getLastRealOrderId', 'getLastRealOrder', 'restoreQuote'])
+            ->setMethods(['setLastRealOrderId', 'getLastRealOrder', 'restoreQuote'])
             ->getMock();
 
         $this->paymentFailures = $this->getMockBuilder(PaymentFailuresInterface::class)
@@ -177,8 +179,15 @@ public function testExecuteAllowedOrderState($state)
         $this->withLayout();
         $this->withOrder(self::LAST_REAL_ORDER_ID, $state);
 
-        $this->checkoutSession->method('getLastRealOrderId')
-            ->willReturn(self::LAST_REAL_ORDER_ID);
+        $this->request->method('getParam')
+            ->willReturnMap([
+                ['INVNUM', self::LAST_REAL_ORDER_ID],
+                ['USER2', self::SILENT_POST_HASH],
+            ]);
+
+        $this->checkoutSession->expects($this->once())
+            ->method('setLastRealOrderId')
+            ->with(self::LAST_REAL_ORDER_ID);
 
         $this->block->method('setData')
             ->with('goto_success_page', true)
@@ -202,6 +211,45 @@ public function allowedOrderStateDataProvider()
         ];
     }
 
+    /**
+     * Checks a test case when silent post hash validation fails.
+     *
+     * @param string $requestHash
+     * @param string $orderHash
+     * @dataProvider invalidHashVariations
+     */
+    public function testFailedHashValidation(string $requestHash, string $orderHash)
+    {
+        $this->withLayout();
+        $this->withOrder(self::LAST_REAL_ORDER_ID, Order::STATE_PROCESSING, $orderHash);
+
+        $this->request->method('getParam')
+            ->willReturnMap([
+                ['INVNUM', self::LAST_REAL_ORDER_ID],
+                ['USER2', $requestHash],
+            ]);
+
+        $this->checkoutSession->expects($this->never())
+            ->method('setLastRealOrderId')
+            ->with(self::LAST_REAL_ORDER_ID);
+
+        $this->returnUrl->execute();
+    }
+
+    /**
+     * Gets list of allowed order states.
+     *
+     * @return array
+     */
+    public function invalidHashVariations()
+    {
+        return [
+            ['requestHash' => '', 'orderHash' => self::SILENT_POST_HASH],
+            ['requestHash' => self::SILENT_POST_HASH, 'orderHash' => ''],
+            ['requestHash' => 'abcd', 'orderHash' => 'dcba'],
+        ];
+    }
+
     /**
      * Checks a test case when action processes order with not allowed state.
      *
@@ -218,8 +266,11 @@ public function testExecuteNotAllowedOrderState($state, $restoreQuote, $expected
         $this->withCheckoutSession(self::LAST_REAL_ORDER_ID, $restoreQuote);
 
         $this->request->method('getParam')
-            ->with('RESPMSG')
-            ->willReturn($errMessage);
+            ->willReturnMap([
+                ['RESPMSG', $errMessage],
+                ['INVNUM', self::LAST_REAL_ORDER_ID],
+                ['USER2', self::SILENT_POST_HASH],
+            ]);
 
         $this->payment->method('getMethod')
             ->willReturn(Config::METHOD_PAYFLOWLINK);
@@ -261,8 +312,14 @@ public function testCheckRejectByPaymentMethod()
         $this->withLayout();
         $this->withOrder(self::LAST_REAL_ORDER_ID, Order::STATE_NEW);
 
-        $this->checkoutSession->method('getLastRealOrderId')
-            ->willReturn(self::LAST_REAL_ORDER_ID);
+        $this->checkoutSession->expects($this->once())
+            ->method('setLastRealOrderId')
+            ->with(self::LAST_REAL_ORDER_ID);
+        $this->request->method('getParam')
+            ->willReturnMap([
+                ['INVNUM', self::LAST_REAL_ORDER_ID],
+                ['USER2', self::SILENT_POST_HASH],
+            ]);
 
         $this->withBlockContent(false, 'Requested payment method does not match with order.');
 
@@ -285,8 +342,11 @@ public function testCheckXSSEscaped($errorMsg, $errorMsgEscaped)
         $this->withCheckoutSession(self::LAST_REAL_ORDER_ID, true);
 
         $this->request->method('getParam')
-            ->with('RESPMSG')
-            ->willReturn($errorMsg);
+            ->willReturnMap([
+                ['RESPMSG', $errorMsg],
+                ['INVNUM', self::LAST_REAL_ORDER_ID],
+                ['USER2', self::SILENT_POST_HASH],
+            ]);
 
         $this->checkoutHelper->method('cancelCurrentOrder')
             ->with(self::equalTo($errorMsgEscaped));
@@ -323,8 +383,11 @@ public function testCheckAdvancedAcceptingByPaymentMethod()
         $this->withCheckoutSession(self::LAST_REAL_ORDER_ID, true);
 
         $this->request->method('getParam')
-            ->with('RESPMSG')
-            ->willReturn('message');
+            ->willReturnMap([
+                ['RESPMSG', 'message'],
+                ['INVNUM', self::LAST_REAL_ORDER_ID],
+                ['USER2', self::SILENT_POST_HASH],
+            ]);
 
         $this->withBlockContent('paymentMethod', 'Your payment has been declined. Please try again.');
 
@@ -347,9 +410,10 @@ public function testCheckAdvancedAcceptingByPaymentMethod()
      *
      * @param string $incrementId
      * @param string $state
+     * @param string $hash
      * @return void
      */
-    private function withOrder($incrementId, $state)
+    private function withOrder($incrementId, $state, $hash = self::SILENT_POST_HASH)
     {
         $this->orderFactory->method('create')
             ->willReturn($this->order);
@@ -366,6 +430,8 @@ private function withOrder($incrementId, $state)
 
         $this->order->method('getPayment')
             ->willReturn($this->payment);
+        $this->payment->method('getAdditionalInformation')
+            ->willReturn($hash);
     }
 
     /**
@@ -390,8 +456,8 @@ private function withLayout()
      */
     private function withCheckoutSession($orderId, $restoreQuote)
     {
-        $this->checkoutSession->method('getLastRealOrderId')
-            ->willReturn($orderId);
+        $this->checkoutSession->method('setLastRealOrderId')
+            ->with($orderId);
 
         $this->checkoutSession->method('getLastRealOrder')
             ->willReturn($this->order);

app/code/Magento/Paypal/etc/csp_whitelist.xml

@@ -36,6 +36,14 @@
             <values>
                 <value id="www_paypal" type="host">www.paypal.com</value>
                 <value id="www_sandbox_paypal" type="host">www.sandbox.paypal.com</value>
+                <value id="pilot_payflowlink_paypal_com" type="host">pilot-payflowlink.paypal.com</value>
+            </values>
+        </policy>
+        <policy id="form-action">
+            <values>
+                <value id="www_paypal" type="host">www.paypal.com</value>
+                <value id="www_sandbox_paypal" type="host">www.sandbox.paypal.com</value>
+                <value id="pilot_payflowlink_paypal_com" type="host">pilot-payflowlink.paypal.com</value>
             </values>
         </policy>
     </policies>

app/code/Magento/Paypal/view/frontend/web/js/view/payment/method-renderer/iframe-methods.js

@@ -74,6 +74,7 @@ define([
             if (this.iframeIsLoaded) {
                 document.getElementById(this.getCode() + '-iframe')
                     .contentWindow.location.reload();
+                this.paymentReady(false);
             }
 
             this.paymentReady(true);