CABPI-324: Change Org check to use new endpoint

Author: andimov

app/code/Magento/AdminAdobeIms/Controller/Adminhtml/OAuth/ImsCallback.php

@@ -102,14 +102,15 @@ public function execute(): Redirect
             $tokenResponse = $this->adminImsConnection->getTokenResponse($code);
             $accessToken = $tokenResponse->getAccessToken();
 
-            //check organization assignment
-            $this->adminOrganizationService->checkOrganizationAllocation($accessToken);
-
             //get profile info to check email
             $profile = $this->adminImsConnection->getProfile($accessToken);
             if (empty($profile['email'])) {
                 throw new AuthenticationException(__('An authentication error occurred. Verify and try again.'));
             }
+
+            //check membership in organization
+            $this->adminOrganizationService->checkOrganizationMembership($accessToken);
+
             $this->adminLoginProcessService->execute($tokenResponse, $profile);
         } catch (AdobeImsAuthorizationException $e) {
             $this->logger->error($e->getMessage());

app/code/Magento/AdminAdobeIms/Model/ImsConnection.php

@@ -15,9 +15,11 @@
 use Magento\AdobeImsApi\Api\Data\TokenResponseInterface;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Exception\InvalidArgumentException;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\HTTP\Client\Curl;
 use Magento\Framework\HTTP\Client\CurlFactory;
 use Magento\Framework\Serialize\Serializer\Json;
+use mysql_xdevapi\Exception;
 
 class ImsConnection
 {
@@ -233,4 +235,56 @@ public function getProfile(string $code)
 
         return $this->json->unserialize($curl->getBody());
     }
+
+    /**
+     * Check if user is a member of Adobe IMS Organization
+     *
+     * @param string $orgId
+     * @param string|null $token
+     * @return bool
+     * @throws AuthorizationException
+     */
+    public function organizationMembership(string $orgId, ?string $token): bool
+    {
+        $result = false;
+        if ($token === null) {
+            return $result;
+        }
+        try {
+            $curl = $this->curlFactory->create();
+
+            $curl->addHeader('Content-Type', 'application/x-www-form-urlencoded');
+            $curl->addHeader('cache-control', 'no-cache');
+            $curl->addHeader('Authorization', 'Bearer ' . $token);
+
+            $curl->get(
+                $this->adminImsConfig->getOrganizationMembershipUrl($orgId),
+                []
+            );
+
+            if ($curl->getBody() === '') {
+                throw new AuthorizationException(
+                    __('Could not check Organization Membership')
+                );
+            }
+
+            $response = $curl->getBody();
+
+            if ($response == 'true') {
+                $result = true;
+            } else {
+                throw new AdobeImsOrganizationAuthorizationException(
+                    __('User is not a member of configured Adobe Organization.')
+                );
+            }
+
+        } catch (Exception $exception) {
+            throw new LocalizedException(
+                __('Organization Membership check can\'t be performed')
+            );
+
+        }
+
+        return $result;
+    }
 }

app/code/Magento/AdminAdobeIms/Service/ImsConfig.php

@@ -34,6 +34,7 @@ class ImsConfig extends Config
     public const XML_PATH_ADMIN_AUTH_URL_PATTERN = 'adobe_ims/integration/admin/auth_url_pattern';
     public const XML_PATH_ADMIN_REAUTH_URL_PATTERN = 'adobe_ims/integration/admin/reauth_url_pattern';
     public const XML_PATH_ADMIN_ADOBE_IMS_SCOPES = 'adobe_ims/integration/admin/scopes';
+    public const XML_PATH_ORGANIZATION_MEMBERSHIP_URL = 'adobe_ims/integration/organization_membership_url';
 
     private const OAUTH_CALLBACK_URL = 'adobe_ims_auth/oauth/';
 
@@ -376,4 +377,19 @@ public function getCertificateUrl(string $fileName): string
     {
         return $this->scopeConfig->getValue(self::XML_PATH_CERTIFICATE_PATH) . $fileName;
     }
+
+    /**
+     * Get url to check organization membership
+     *
+     * @param string $orgId
+     * @return string
+     */
+    public function getOrganizationMembershipUrl(string $orgId): string
+    {
+        return str_replace(
+            ['#{orgId}'],
+            [$orgId],
+            $this->scopeConfig->getValue(self::XML_PATH_ORGANIZATION_MEMBERSHIP_URL)
+        );
+    }
 }

app/code/Magento/AdminAdobeIms/Service/ImsOrganizationService.php

@@ -9,6 +9,7 @@
 namespace Magento\AdminAdobeIms\Service;
 
 use Magento\AdminAdobeIms\Exception\AdobeImsOrganizationAuthorizationException;
+use Magento\AdminAdobeIms\Model\ImsConnection;
 
 class ImsOrganizationService
 {
@@ -17,33 +18,40 @@ class ImsOrganizationService
      */
     private ImsConfig $adminImsConfig;
 
+    /**
+     * @var ImsConnection
+     */
+    private ImsConnection $adminImsConnection;
+
     /**
      * @param ImsConfig $adminImsConfig
+     * @param ImsConnection $adminImsConnection
      */
     public function __construct(
-        ImsConfig $adminImsConfig
+        ImsConfig $adminImsConfig,
+        ImsConnection $adminImsConnection
     ) {
         $this->adminImsConfig = $adminImsConfig;
+        $this->adminImsConnection = $adminImsConnection;
     }
 
     /**
-     * Check if user is assigned to organization
+     * Check if user is a member of Adobe Organization
      *
-     * @param string $token
+     * @param string $access_token
      * @return bool
      * @throws AdobeImsOrganizationAuthorizationException
      */
-    public function checkOrganizationAllocation(string $token): bool
+    public function checkOrganizationMembership(string $access_token): bool
     {
         $configuredOrganization = $this->adminImsConfig->getOrganizationId();
 
-        //@TODO CABPI-324: Change Org check to use new endpoint
-        if ($configuredOrganization === '' || !$token) {
+        if ($configuredOrganization === '' || !$access_token) {
             throw new AdobeImsOrganizationAuthorizationException(
-                __('User is not assigned to defined organization.')
+                __('Can\'t check user membership in organization.')
             );
         }
 
-        return true;
+        $this->adminImsConnection->organizationMembership($configuredOrganization, $access_token);
     }
 }

app/code/Magento/AdminAdobeIms/etc/config.xml

@@ -18,13 +18,15 @@
                         <openid>openid</openid>
                         <email>email</email>
                         <profile>profile</profile>
+                        <org.read>org.read</org.read>
                     </scopes>
                 </admin>
                 <logging_enabled>0</logging_enabled>
                 <organization_id backend_model="Magento\Config\Model\Config\Backend\Encrypted"/>
                 <auth_url_pattern><![CDATA[https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=#{client_id}&amp;redirect_uri=#{redirect_uri}&amp;locale=#{locale}&amp;scope=openid,creative_sdk,email,profile&amp;response_type=code]]></auth_url_pattern>
                 <token_url>https://ims-na1.adobelogin.com/ims/token</token_url>
                 <profile_url><![CDATA[https://ims-na1.adobelogin.com/ims/profile/v1?client_id=#{client_id}]]></profile_url>
+                <organization_membership_url><![CDATA[https://graph.identity.adobe.com/#{org_id}@AdobeOrg/membership]]></organization_membership_url>
                 <logout_url><![CDATA[https://ims-na1.adobelogin.com/ims/logout/v1?access_token=#{access_token}&amp;client_id=#{client_id}&amp;client_secret=#{client_secret}]]></logout_url>
                 <certificate_path><![CDATA[https://static.adobelogin.com/keys/prod/]]></certificate_path>
                 <validate_token_url><![CDATA[https://ims-na1.adobelogin.com/ims/validate_token/v1?token=#{token}&client_id=#{client_id}&type=#{token_type}]]></validate_token_url>