MAGETWO-83589: Vulnerability related to active login session

Author: ameysar

app/code/Magento/Customer/Model/AccountManagement.php

@@ -48,6 +48,9 @@
 use Magento\Store\Model\ScopeInterface;
 use Magento\Store\Model\StoreManagerInterface;
 use Psr\Log\LoggerInterface as PsrLogger;
+use Magento\Framework\Session\SessionManagerInterface;
+use Magento\Framework\Session\SaveHandlerInterface;
+use Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory;
 
 /**
  * Handle various customer account actions
@@ -243,6 +246,21 @@ class AccountManagement implements AccountManagementInterface
      */
     private $transportBuilder;
 
+    /**
+     * @var SessionManagerInterface
+     */
+    private $sessionManager;
+
+    /**
+     * @var SaveHandlerInterface
+     */
+    private $saveHandler;
+
+    /**
+     * @var CollectionFactory
+     */
+    private $visitorCollectionFactory;
+
     /**
      * @var DataObjectProcessor
      */
@@ -335,6 +353,9 @@ class AccountManagement implements AccountManagementInterface
      * @param CredentialsValidator|null $credentialsValidator
      * @param DateTimeFactory|null $dateTimeFactory
      * @param AccountConfirmation|null $accountConfirmation
+     * @param SessionManagerInterface|null $sessionManager
+     * @param SaveHandlerInterface|null $saveHandler
+     * @param CollectionFactory|null $visitorCollectionFactory
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -363,7 +384,10 @@ public function __construct(
         ExtensibleDataObjectConverter $extensibleDataObjectConverter,
         CredentialsValidator $credentialsValidator = null,
         DateTimeFactory $dateTimeFactory = null,
-        AccountConfirmation $accountConfirmation = null
+        AccountConfirmation $accountConfirmation = null,
+        SessionManagerInterface $sessionManager = null,
+        SaveHandlerInterface $saveHandler = null,
+        CollectionFactory $visitorCollectionFactory = null
     ) {
         $this->customerFactory = $customerFactory;
         $this->eventManager = $eventManager;
@@ -393,6 +417,12 @@ public function __construct(
         $this->dateTimeFactory = $dateTimeFactory ?: ObjectManager::getInstance()->get(DateTimeFactory::class);
         $this->accountConfirmation = $accountConfirmation ?: ObjectManager::getInstance()
             ->get(AccountConfirmation::class);
+        $this->sessionManager = $sessionManager
+            ?: ObjectManager::getInstance()->get(SessionManagerInterface::class);
+        $this->saveHandler = $saveHandler
+            ?: ObjectManager::getInstance()->get(SaveHandlerInterface::class);
+        $this->visitorCollectionFactory = $visitorCollectionFactory
+            ?: ObjectManager::getInstance()->get(CollectionFactory::class);
     }
 
     /**
@@ -594,7 +624,10 @@ public function resetPassword($email, $resetToken, $newPassword)
         $customerSecure->setRpToken(null);
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
+        $this->sessionManager->destroy();
+        $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);
+
         return true;
     }
 
@@ -896,7 +929,9 @@ private function changePasswordForCustomer($customer, $currentPassword, $newPass
         $customerSecure->setRpTokenCreatedAt(null);
         $this->checkPasswordStrength($newPassword);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
+        $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);
+
         return true;
     }
 
@@ -1399,4 +1434,35 @@ private function getEmailNotification()
             return $this->emailNotification;
         }
     }
+
+    /**
+     * Destroy all active customer sessions by customer id (current session will not be destroyed).
+     * Customer sessions which should be deleted are collecting from the "customer_visitor" table considering
+     * configured session lifetime.
+     *
+     * @param string|int $customerId
+     * @return void
+     */
+    private function destroyCustomerSessions($customerId)
+    {
+        $sessionLifetime = $this->scopeConfig->getValue(
+            \Magento\Framework\Session\Config::XML_PATH_COOKIE_LIFETIME,
+            \Magento\Store\Model\ScopeInterface::SCOPE_STORE
+        );
+        $dateTime = $this->dateTimeFactory->create();
+        $activeSessionsTime = $dateTime->setTimestamp($dateTime->getTimestamp() - $sessionLifetime)
+            ->format(DateTime::DATETIME_PHP_FORMAT);
+        /** @var \Magento\Customer\Model\ResourceModel\Visitor\Collection $visitorCollection */
+        $visitorCollection = $this->visitorCollectionFactory->create();
+        $visitorCollection->addFieldToFilter('customer_id', $customerId);
+        $visitorCollection->addFieldToFilter('last_visit_at', ['from' => $activeSessionsTime]);
+        $visitorCollection->addFieldToFilter('session_id', ['neq' => $this->sessionManager->getSessionId()]);
+        /** @var \Magento\Customer\Model\Visitor $visitor */
+        foreach ($visitorCollection->getItems() as $visitor) {
+            $sessionId = $visitor->getSessionId();
+            $this->sessionManager->start();
+            $this->saveHandler->destroy($sessionId);
+            $this->sessionManager->writeClose();
+        }
+    }
 }

app/code/Magento/Customer/Model/Visitor.php

@@ -151,6 +151,9 @@ public function initByRequest($observer)
 
         if ($this->session->getVisitorData()) {
             $this->setData($this->session->getVisitorData());
+            if ($this->getSessionId() != $this->session->getSessionId()) {
+                $this->setSessionId($this->session->getSessionId());
+            }
         }
 
         $this->setLastVisitAt((new \DateTime())->format(\Magento\Framework\Stdlib\DateTime::DATETIME_PHP_FORMAT));

app/code/Magento/Customer/Test/Unit/Model/AccountManagementTest.php

@@ -127,6 +127,21 @@ class AccountManagementTest extends \PHPUnit\Framework\TestCase
      */
     private $accountConfirmation;
 
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\Session\SessionManagerInterface
+     */
+    private $sessionManager;
+
+    /**
+     * @var  \PHPUnit_Framework_MockObject_MockObject|\Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory
+     */
+    private $visitorCollectionFactory;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\Session\SaveHandlerInterface
+     */
+    private $saveHandler;
+
     /**
      * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
      */
@@ -179,6 +194,19 @@ protected function setUp()
         $this->dateTimeFactory = $this->createMock(DateTimeFactory::class);
         $this->accountConfirmation = $this->createMock(AccountConfirmation::class);
 
+        $this->visitorCollectionFactory = $this->getMockBuilder(
+            \Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory::class
+        )
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+        $this->sessionManager = $this->getMockBuilder(\Magento\Framework\Session\SessionManagerInterface::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->saveHandler = $this->getMockBuilder(\Magento\Framework\Session\SaveHandlerInterface::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
         $this->objectManagerHelper = new ObjectManagerHelper($this);
         $this->accountManagement = $this->objectManagerHelper->getObject(
             \Magento\Customer\Model\AccountManagement::class,
@@ -207,7 +235,10 @@ protected function setUp()
                 'objectFactory' => $this->objectFactory,
                 'extensibleDataObjectConverter' => $this->extensibleDataObjectConverter,
                 'dateTimeFactory' => $this->dateTimeFactory,
-                'accountConfirmation' => $this->accountConfirmation
+                'accountConfirmation' => $this->accountConfirmation,
+                'sessionManager' => $this->sessionManager,
+                'saveHandler' => $this->saveHandler,
+                'visitorCollectionFactory' => $this->visitorCollectionFactory,
             ]
         );
         $reflection = new \ReflectionClass(get_class($this->accountManagement));
@@ -1276,7 +1307,16 @@ private function reInitModel()
     {
         $this->customerSecure = $this->getMockBuilder(\Magento\Customer\Model\Data\CustomerSecure::class)
             ->disableOriginalConstructor()
-            ->setMethods(['getRpToken', 'getRpTokenCreatedAt'])
+            ->setMethods(
+                [
+                    'getRpToken',
+                    'getRpTokenCreatedAt',
+                    'getPasswordHash',
+                    'setPasswordHash',
+                    'setRpToken',
+                    'setRpTokenCreatedAt',
+                ]
+            )
             ->getMock();
 
         $this->customerSecure
@@ -1297,6 +1337,48 @@ private function reInitModel()
             ->getMock();
 
         $this->prepareDateTimeFactory();
+        $this->sessionManager = $this->getMockBuilder(\Magento\Framework\Session\SessionManagerInterface::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['destroy', 'start', 'writeClose'])
+            ->getMockForAbstractClass();
+        $this->visitorCollectionFactory = $this->getMockBuilder(
+            \Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory::class
+        )
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+        $this->saveHandler = $this->getMockBuilder(\Magento\Framework\Session\SaveHandlerInterface::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['destroy'])
+            ->getMockForAbstractClass();
+
+        $dateTime = '2017-10-25 18:57:08';
+        $timestamp = '1508983028';
+        $dateTimeMock = $this->getMockBuilder(\DateTime::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['format', 'getTimestamp', 'setTimestamp'])
+            ->getMock();
+
+        $dateTimeMock->expects($this->any())
+            ->method('format')
+            ->with(\Magento\Framework\Stdlib\DateTime::DATETIME_PHP_FORMAT)
+            ->willReturn($dateTime);
+
+        $dateTimeMock
+            ->expects($this->any())
+            ->method('getTimestamp')
+            ->willReturn($timestamp);
+
+        $dateTimeMock
+            ->expects($this->any())
+            ->method('setTimestamp')
+            ->willReturnSelf();
+
+        $dateTimeFactory = $this->getMockBuilder(DateTimeFactory::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+        $dateTimeFactory->expects($this->any())->method('create')->willReturn($dateTimeMock);
 
         $this->objectManagerHelper = new ObjectManagerHelper($this);
         $this->accountManagement = $this->objectManagerHelper->getObject(
@@ -1306,7 +1388,16 @@ private function reInitModel()
                 'customerRegistry' => $this->customerRegistry,
                 'customerRepository' => $this->customerRepository,
                 'customerModel' => $this->customer,
-                'dateTimeFactory' => $this->dateTimeFactory,
+                'dateTimeFactory' => $dateTimeFactory,
+                'stringHelper' => $this->string,
+                'scopeConfig' => $this->scopeConfig,
+                'sessionManager' => $this->sessionManager,
+                'visitorCollectionFactory' => $this->visitorCollectionFactory,
+                'saveHandler' => $this->saveHandler,
+                'encryptor' => $this->encryptor,
+                'dataProcessor' => $this->dataObjectProcessor,
+                'storeManager' => $this->storeManager,
+                'transportBuilder' => $this->transportBuilder,
             ]
         );
         $reflection = new \ReflectionClass(get_class($this->accountManagement));
@@ -1326,6 +1417,7 @@ public function testChangePassword()
         $newPassword = 'abcdefg';
         $passwordHash = '1a2b3f4c';
 
+        $this->reInitModel();
         $customer = $this->getMockBuilder(\Magento\Customer\Api\Data\CustomerInterface::class)
             ->getMock();
         $customer->expects($this->any())
@@ -1341,24 +1433,20 @@ public function testChangePassword()
         $this->authenticationMock->expects($this->once())
             ->method('authenticate');
 
-        $customerSecure = $this->getMockBuilder(\Magento\Customer\Model\Data\CustomerSecure::class)
-            ->setMethods(['setRpToken', 'setRpTokenCreatedAt', 'getPasswordHash'])
-            ->disableOriginalConstructor()
-            ->getMock();
-        $customerSecure->expects($this->once())
+        $this->customerSecure->expects($this->once())
             ->method('setRpToken')
             ->with(null);
-        $customerSecure->expects($this->once())
+        $this->customerSecure->expects($this->once())
             ->method('setRpTokenCreatedAt')
             ->willReturnSelf();
-        $customerSecure->expects($this->any())
+        $this->customerSecure->expects($this->any())
             ->method('getPasswordHash')
             ->willReturn($passwordHash);
 
         $this->customerRegistry->expects($this->any())
             ->method('retrieveSecureData')
             ->with($customerId)
-            ->willReturn($customerSecure);
+            ->willReturn($this->customerSecure);
 
         $this->scopeConfig->expects($this->any())
             ->method('getValue')
@@ -1388,9 +1476,85 @@ public function testChangePassword()
             ->method('save')
             ->with($customer);
 
+        $this->sessionManager->expects($this->atLeastOnce())->method('start');
+        $this->sessionManager->expects($this->atLeastOnce())->method('writeClose');
+        $this->sessionManager->expects($this->atLeastOnce())->method('getSessionId');
+
+        $visitor = $this->getMockBuilder(\Magento\Customer\Model\Visitor::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getSessionId'])
+            ->getMock();
+        $visitor->expects($this->at(0))->method('getSessionId')->willReturn('session_id_1');
+        $visitor->expects($this->at(1))->method('getSessionId')->willReturn('session_id_2');
+        $visitorCollection = $this->getMockBuilder(
+            \Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory::class
+        )
+            ->disableOriginalConstructor()->setMethods(['addFieldToFilter', 'getItems'])->getMock();
+        $visitorCollection->expects($this->atLeastOnce())->method('addFieldToFilter')->willReturnSelf();
+        $visitorCollection->expects($this->atLeastOnce())->method('getItems')->willReturn([$visitor, $visitor]);
+        $this->visitorCollectionFactory->expects($this->atLeastOnce())->method('create')
+            ->willReturn($visitorCollection);
+        $this->saveHandler->expects($this->at(0))->method('destroy')->with('session_id_1');
+        $this->saveHandler->expects($this->at(1))->method('destroy')->with('session_id_2');
+
         $this->assertTrue($this->accountManagement->changePassword($email, $currentPassword, $newPassword));
     }
 
+    public function testResetPassword()
+    {
+        $customerEmail = 'customer@example.com';
+        $customerId = '1';
+        $resetToken = 'newStringToken';
+        $newPassword = 'new_password';
+
+        $this->reInitModel();
+        $customer = $this->getMockBuilder(\Magento\Customer\Api\Data\CustomerInterface::class)->getMock();
+        $customer->expects($this->any())->method('getId')->willReturn($customerId);
+        $this->customerRepository->expects($this->atLeastOnce())->method('get')->with($customerEmail)
+            ->willReturn($customer);
+        $this->customer->expects($this->atLeastOnce())->method('getResetPasswordLinkExpirationPeriod')
+            ->willReturn(100000);
+        $this->string->expects($this->any())->method('strlen')->willReturnCallback(
+            function ($string) {
+                return strlen($string);
+            }
+        );
+        $this->customerRegistry->expects($this->atLeastOnce())->method('retrieveSecureData')
+            ->willReturn($this->customerSecure);
+
+        $this->customerSecure->expects($this->once())
+            ->method('setRpToken')
+            ->with(null);
+        $this->customerSecure->expects($this->once())
+            ->method('setRpTokenCreatedAt')
+            ->with(null);
+        $this->customerSecure->expects($this->any())
+            ->method('setPasswordHash')
+            ->willReturn(null);
+
+        $this->sessionManager->expects($this->atLeastOnce())->method('destroy');
+        $this->sessionManager->expects($this->atLeastOnce())->method('start');
+        $this->sessionManager->expects($this->atLeastOnce())->method('writeClose');
+        $this->sessionManager->expects($this->atLeastOnce())->method('getSessionId');
+        $visitor = $this->getMockBuilder(\Magento\Customer\Model\Visitor::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getSessionId'])
+            ->getMock();
+        $visitor->expects($this->at(0))->method('getSessionId')->willReturn('session_id_1');
+        $visitor->expects($this->at(1))->method('getSessionId')->willReturn('session_id_2');
+        $visitorCollection = $this->getMockBuilder(
+            \Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory::class
+        )
+            ->disableOriginalConstructor()->setMethods(['addFieldToFilter', 'getItems'])->getMock();
+        $visitorCollection->expects($this->atLeastOnce())->method('addFieldToFilter')->willReturnSelf();
+        $visitorCollection->expects($this->atLeastOnce())->method('getItems')->willReturn([$visitor, $visitor]);
+        $this->visitorCollectionFactory->expects($this->atLeastOnce())->method('create')
+            ->willReturn($visitorCollection);
+        $this->saveHandler->expects($this->at(0))->method('destroy')->with('session_id_1');
+        $this->saveHandler->expects($this->at(1))->method('destroy')->with('session_id_2');
+        $this->assertTrue($this->accountManagement->resetPassword($customerEmail, $resetToken, $newPassword));
+    }
+
     /**
      * @return void
      */