Merge pull request #88 from magento-extensibility/pr

[Extensibility] Bug fixes - part 2

Author: Oleksii Korshenko

.htaccess

@@ -206,7 +206,7 @@
 
 ###########################################
 ## Deny access to root files to hide sensitive application information
-    RedirectMatch 404 /\.git
+    RedirectMatch 403 /\.git
 
     <Files composer.json>
         order allow,deny
@@ -277,10 +277,14 @@
         deny from all
     </Files>
     <Files magento_umask>
-            order allow,deny
-            deny from all
+        order allow,deny
+        deny from all
     </Files>
 
+# For 404s and 403s that aren't handled by the application, show plain 404 response
+ErrorDocument 404 /pub/errors/404.php
+ErrorDocument 403 /pub/errors/404.php
+
 ################################
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags

.htaccess.sample

@@ -1,11 +1,12 @@
 ############################################
-## Optional override of deployment mode. We recommend you use the
-## command bin/magento deploy:mode:set to switch modes instead
-#   SetEnv MAGE_MODE default # or production or developer
+## overrides deployment configuration mode value
+## use command bin/magento deploy:mode:set to switch modes
+
+#   SetEnv MAGE_MODE developer
 
 ############################################
-## Uncomment these lines for CGI mode.
-## Make sure to specify the correct cgi php binary file name
+## uncomment these lines for CGI mode
+## make sure to specify the correct cgi php binary file name
 ## it might be /cgi-bin/php-cgi
 
 #    Action php5-cgi /cgi-bin/php5-cgi
@@ -16,42 +17,42 @@
 
 #   Options -MultiViews
 
-## You might also need to add this line to php.ini
+## you might also need to add this line to php.ini
 ##     cgi.fix_pathinfo = 1
-## If it still doesn't work, rename php.ini to php5.ini
+## if it still doesn't work, rename php.ini to php5.ini
 
 ############################################
-## This line is specific for 1and1 hosting
+## this line is specific for 1and1 hosting
 
     #AddType x-mapp-php5 .php
     #AddHandler x-mapp-php5 .php
 
 ############################################
-## Default index file
+## default index file
 
     DirectoryIndex index.php
 
 <IfModule mod_php5.c>
 
 ############################################
-## Adjust memory limit
+## adjust memory limit
 
     php_value memory_limit 768M
     php_value max_execution_time 18000
 
 ############################################
-## Disable automatic session start
+## disable automatic session start
 ## before autoload was initialized
 
     php_flag session.auto_start off
 
 ############################################
-## Enable resulting html compression
+## enable resulting html compression
 
     #php_flag zlib.output_compression on
 
 ###########################################
-## Disable user agent verification to not break multiple image upload
+## disable user agent verification to not break multiple image upload
 
     php_flag suhosin.session.cryptua off
 
@@ -60,32 +61,32 @@
 <IfModule mod_php7.c>
 
 ############################################
-## Adjust memory limit
+## adjust memory limit
 
     php_value memory_limit 768M
     php_value max_execution_time 18000
 
 ############################################
-## Disable automatic session start
+## disable automatic session start
 ## before autoload was initialized
 
     php_flag session.auto_start off
 
 ############################################
-## Enable resulting html compression
+## enable resulting html compression
 
     #php_flag zlib.output_compression on
 
 ###########################################
-## Disable user agent verification to not break multiple image upload
+## disable user agent verification to not break multiple image upload
 
     php_flag suhosin.session.cryptua off
 
 </IfModule>
 
 <IfModule mod_security.c>
 ###########################################
-## Disable POST processing to not break multiple image upload
+## disable POST processing to not break multiple image upload
 
     SecFilterEngine Off
     SecFilterScanPOST Off
@@ -94,7 +95,7 @@
 <IfModule mod_deflate.c>
 
 ############################################
-## Enable apache served files compression
+## enable apache served files compression
 ## http://developer.yahoo.com/performance/rules.html#gzip
 
     # Insert filter on all content
@@ -122,14 +123,14 @@
 <IfModule mod_ssl.c>
 
 ############################################
-## Make HTTPS env vars available for CGI mode
+## make HTTPS env vars available for CGI mode
 
     SSLOptions StdEnvVars
 
 </IfModule>
 
 ############################################
-## Workaround for Apache 2.4.6 CentOS build when working via ProxyPassMatch with HHVM (or any other)
+## workaround for Apache 2.4.6 CentOS build when working via ProxyPassMatch with HHVM (or any other)
 ## Please, set it on virtual host configuration level
 
 ##    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
@@ -138,19 +139,19 @@
 <IfModule mod_rewrite.c>
 
 ############################################
-## Enable rewrites
+## enable rewrites
 
     Options +FollowSymLinks
     RewriteEngine on
 
 ############################################
-## You can put here your magento root folder
+## you can put here your magento root folder
 ## path relative to web root
 
     #RewriteBase /magento/
 
 ############################################
-## Workaround for HTTP authorization
+## workaround for HTTP authorization
 ## in CGI environment
 
     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
@@ -162,21 +163,21 @@
     RewriteRule .* - [L,R=405]
 
 ############################################
-## Redirect for mobile user agents
+## redirect for mobile user agents
 
     #RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
     #RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
     #RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]
 
 ############################################
-## Never rewrite for existing files, directories and links
+## never rewrite for existing files, directories and links
 
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteCond %{REQUEST_FILENAME} !-l
 
 ############################################
-## Rewrite everything else to index.php
+## rewrite everything else to index.php
 
     RewriteRule .* index.php [L]
 
@@ -205,7 +206,7 @@
 
 ###########################################
 ## Deny access to root files to hide sensitive application information
-    RedirectMatch 404 /\.git
+    RedirectMatch 403 /\.git
 
     <Files composer.json>
         order allow,deny
@@ -280,6 +281,10 @@
         deny from all
     </Files>
 
+# For 404s and 403s that aren't handled by the application, show plain 404 response
+ErrorDocument 404 /pub/errors/404.php
+ErrorDocument 403 /pub/errors/404.php
+
 ################################
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags

app/code/Magento/PageCache/Model/Config.php

@@ -147,7 +147,13 @@ protected function _getReplacements()
                 \Magento\Store\Model\ScopeInterface::SCOPE_STORE
             ),
             '/* {{ ips }} */' => $this->_getAccessList(),
-            '/* {{ design_exceptions_code }} */' => $this->_getDesignExceptions()
+            '/* {{ design_exceptions_code }} */' => $this->_getDesignExceptions(),
+            // http headers get transformed by php `X-Forwarded-Proto: https` becomes $SERVER['HTTP_X_FORWARDED_PROTO'] = 'https'
+            // Apache and Nginx drop all headers with underlines by default.
+            '/* {{ ssl_offloaded_header }} */' => str_replace('_', '-', $this->_scopeConfig->getValue(
+                \Magento\Framework\HTTP\PhpEnvironment\Request::XML_PATH_OFFLOADER_HEADER,
+                \Magento\Store\Model\ScopeInterface::SCOPE_STORE))
+
         ];
     }
 

app/code/Magento/PageCache/Observer/ProcessLayoutRenderElement.php

@@ -59,6 +59,8 @@ protected function _wrapEsi(
                 'handles' => json_encode($layout->getUpdate()->getHandles())
             ]
         );
+        // Varnish does not support ESI over HTTPS must change to HTTP
+        $url = substr($url, 0, 5) === 'https' ? 'http' . substr($url, 5) : $url;
         return sprintf('<esi:include src="%s" />', $url);
     }
 

app/code/Magento/PageCache/etc/varnish3.vcl

@@ -1,5 +1,7 @@
 import std;
 # The minimal Varnish version is 3.0.5
+# For SSL offloading, pass the following header in your proxy server or load balancer: '/* {{ ssl_offloaded_header }} */: https'
+
 
 backend default {
     .host = "/* {{ host }} */";
@@ -61,6 +63,7 @@ sub vcl_recv {
     # static files are always cacheable. remove SSL flag and cookie
     if (req.url ~ "^/(pub/)?(media|static)/.*\.(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
         unset req.http.Https;
+        unset req.http./* {{ ssl_offloaded_header }} */;
         unset req.http.Cookie;
     }
 
@@ -73,6 +76,10 @@ sub vcl_hash {
     if (req.http.cookie ~ "X-Magento-Vary=") {
         hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
     }
+
+    if (req.http./* {{ ssl_offloaded_header }} */) {
+        hash_data(req.http./* {{ ssl_offloaded_header }} */);
+    }
     /* {{ design_exceptions_code }} */
 }
 

app/code/Magento/PageCache/etc/varnish4.vcl

@@ -2,6 +2,7 @@ vcl 4.0;
 
 import std;
 # The minimal Varnish version is 4.0
+# For SSL offloading, pass the following header in your proxy server or load balancer: '/* {{ ssl_offloaded_header }} */: https'
 
 backend default {
     .host = "/* {{ host }} */";
@@ -74,6 +75,7 @@ sub vcl_recv {
     # static files are always cacheable. remove SSL flag and cookie
         if (req.url ~ "^/(pub/)?(media|static)/.*\.(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
         unset req.http.Https;
+        unset req.http./* {{ ssl_offloaded_header }} */;
         unset req.http.Cookie;
     }
 
@@ -93,8 +95,8 @@ sub vcl_hash {
     }
 
     # To make sure http users don't see ssl warning
-    if (req.http.X-Forwarded-Proto) {
-        hash_data(req.http.X-Forwarded-Proto);
+    if (req.http./* {{ ssl_offloaded_header }} */) {
+        hash_data(req.http./* {{ ssl_offloaded_header }} */);
     }
     /* {{ design_exceptions_code }} */
 }

app/code/Magento/Store/etc/config.xml

@@ -76,7 +76,7 @@
                 <base_link_url>{{secure_base_url}}</base_link_url>
                 <use_in_frontend>0</use_in_frontend>
                 <use_in_adminhtml>0</use_in_adminhtml>
-                <offloader_header>SSL_OFFLOADED</offloader_header>
+                <offloader_header>X-Forwarded-Proto</offloader_header>
             </secure>
             <session>
                 <use_remote_addr>0</use_remote_addr>

app/code/Magento/Webapi/Test/Unit/Controller/SoapTest.php

@@ -49,12 +49,16 @@ class SoapTest extends \PHPUnit_Framework_TestCase
      */
     protected $_appStateMock;
 
+
+    protected $_appconfig;
     /**
      * Set up Controller object.
      */
     protected function setUp()
     {
         parent::setUp();
+        
+        $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
 
         $this->_soapServerMock = $this->getMockBuilder('Magento\Webapi\Model\Soap\Server')
             ->disableOriginalConstructor()
@@ -95,6 +99,15 @@ protected function setUp()
             ->method('getHeaders')
             ->will($this->returnValue(new \Zend\Http\Headers()));
 
+        $appconfig = $this->getMock(\Magento\Framework\App\Config::class, [], [], '' , false);
+        $objectManagerHelper->setBackwardCompatibleProperty(
+            $this->_requestMock,
+            'appConfig',
+            $appconfig
+        );
+
+
+
         $this->_soapServerMock->expects($this->any())->method('setWSDL')->will($this->returnSelf());
         $this->_soapServerMock->expects($this->any())->method('setEncoding')->will($this->returnSelf());
         $this->_soapServerMock->expects($this->any())->method('setReturnResponse')->will($this->returnSelf());

dev/tests/integration/testsuite/Magento/Store/Model/StoreTest.php

@@ -372,7 +372,7 @@ public function isUseStoreInUrlDataProvider()
      *
      * @param bool $expected
      * @param array $serverValues
-     * @magentoConfigFixture current_store web/secure/offloader_header SSL_OFFLOADED
+     * @magentoConfigFixture current_store web/secure/offloader_header X_FORWARDED_PROTO
      * @magentoConfigFixture current_store web/secure/base_url https://example.com:80
      */
     public function testIsCurrentlySecure($expected, $serverValues)
@@ -391,8 +391,8 @@ public function isCurrentlySecureDataProvider()
     {
         return [
             [true, ['HTTPS' => 'on']],
-            [true, ['SSL_OFFLOADED' => 'https']],
-            [true, ['HTTP_SSL_OFFLOADED' => 'https']],
+            [true, ['X_FORWARDED_PROTO' => 'https']],
+            [true, ['HTTP_X_FORWARDED_PROTO' => 'https']],
             [true, ['HTTPS' => 'on', 'SERVER_PORT' => 80]],
             [false, ['SERVER_PORT' => 80]],
             [false, []],

lib/internal/Magento/Framework/App/Bootstrap.php

@@ -404,15 +404,18 @@ public function getErrorCode()
      */
     public function isDeveloperMode()
     {
-        if (isset($this->server[State::PARAM_MODE]) && $this->server[State::PARAM_MODE] == State::MODE_DEVELOPER) {
-            return true;
-        }
-        /** @var \Magento\Framework\App\DeploymentConfig $deploymentConfig */
-        $deploymentConfig = $this->getObjectManager()->get('Magento\Framework\App\DeploymentConfig');
-        if ($deploymentConfig->get(State::PARAM_MODE) == State::MODE_DEVELOPER) {
-            return true;
+        $mode = 'default';
+        if (isset($this->server[State::PARAM_MODE])) {
+            $mode = $this->server[State::PARAM_MODE];
+        } else {
+            $deploymentConfig = $this->getObjectManager()->get(DeploymentConfig::class);
+            $configMode = $deploymentConfig->get(State::PARAM_MODE);
+            if ($configMode) {
+                $mode = $configMode;
+            }
         }
-        return false;
+
+        return $mode == State::MODE_DEVELOPER;
     }
 
     /**