Merge branch 'MC-38366' of github.com:magento-cia/magento2ce into cia-2.3.7-1152021

Author: admanesachin

app/code/Magento/Backend/Model/Auth/Session.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Backend\Model\Auth;
 
 use Magento\Framework\App\ObjectManager;
@@ -210,7 +212,8 @@ public function prolong()
                 ->setPath($this->sessionConfig->getCookiePath())
                 ->setDomain($this->sessionConfig->getCookieDomain())
                 ->setSecure($this->sessionConfig->getCookieSecure())
-                ->setHttpOnly($this->sessionConfig->getCookieHttpOnly());
+                ->setHttpOnly($this->sessionConfig->getCookieHttpOnly())
+                ->setSameSite($this->sessionConfig->getCookieSameSite());
             $this->cookieManager->setPublicCookie($this->getName(), $cookieValue, $cookieMetadata);
         }
     }

app/code/Magento/Backend/Model/Session/AdminConfig.php

@@ -85,6 +85,7 @@ public function __construct(
         $this->setCookiePath($adminPath);
         $this->setName($sessionName);
         $this->setCookieSecure($this->_httpRequest->isSecure());
+        $this->setCookieSameSite('Lax');
     }
 
     /**
@@ -96,6 +97,7 @@ private function extractAdminPath()
     {
         $backendApp = $this->backendAppList->getCurrentApp();
         $cookiePath = null;
+        //phpcs:ignore
         $baseUrl = parse_url($this->backendUrlFactory->create()->getBaseUrl(), PHP_URL_PATH);
         if (!$backendApp) {
             $cookiePath = $baseUrl . $this->_frontNameResolver->getFrontName();

app/code/Magento/Backend/Test/Unit/Model/Auth/SessionTest.php

@@ -3,45 +3,58 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Backend\Test\Unit\Model\Auth;
 
+use Magento\Backend\App\Config;
 use Magento\Backend\Model\Auth\Session;
+use Magento\Framework\Acl;
+use Magento\Framework\Acl\Builder;
+use Magento\Framework\Session\Storage;
+use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
+use Magento\Framework\Stdlib\Cookie\PhpCookieManager;
+use Magento\Framework\Stdlib\Cookie\PublicCookieMetadata;
+use Magento\Framework\Stdlib\CookieManagerInterface;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\User\Model\User;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
 
 /**
  * Class SessionTest tests Magento\Backend\Model\Auth\Session
  *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
-class SessionTest extends \PHPUnit\Framework\TestCase
+class SessionTest extends TestCase
 {
     /**
-     * @var \Magento\Backend\App\Config | \PHPUnit_Framework_MockObject_MockObject
+     * @var Config|MockObject
      */
     private $config;
 
     /**
-     * @var \Magento\Framework\Session\Config | \PHPUnit_Framework_MockObject_MockObject
+     * @var \Magento\Framework\Session\Config|MockObject
      */
     private $sessionConfig;
 
     /**
-     * @var \Magento\Framework\Stdlib\CookieManagerInterface | \PHPUnit_Framework_MockObject_MockObject
+     * @var CookieManagerInterface|MockObject
      */
     private $cookieManager;
 
     /**
-     * @var \Magento\Framework\Stdlib\Cookie\CookieMetadataFactory | \PHPUnit_Framework_MockObject_MockObject
+     * @var CookieMetadataFactory|MockObject
      */
     private $cookieMetadataFactory;
 
     /**
-     * @var \Magento\Framework\Session\Storage | \PHPUnit_Framework_MockObject_MockObject
+     * @var Storage|MockObject
      */
     private $storage;
 
     /**
-     * @var \Magento\Framework\Acl\Builder | \PHPUnit_Framework_MockObject_MockObject
+     * @var Builder|MockObject
      */
     private $aclBuilder;
 
@@ -53,32 +66,38 @@ class SessionTest extends \PHPUnit\Framework\TestCase
     /**
      * @inheritdoc
      */
-    protected function setUp()
+    protected function setUp(): void
     {
         $this->cookieMetadataFactory = $this->createPartialMock(
-            \Magento\Framework\Stdlib\Cookie\CookieMetadataFactory::class,
+            CookieMetadataFactory::class,
             ['createPublicCookieMetadata']
         );
 
-        $this->config = $this->createPartialMock(\Magento\Backend\App\Config::class, ['getValue']);
+        $this->config = $this->createPartialMock(Config::class, ['getValue']);
         $this->cookieManager = $this->createPartialMock(
-            \Magento\Framework\Stdlib\Cookie\PhpCookieManager::class,
+            PhpCookieManager::class,
             ['getCookie', 'setPublicCookie']
         );
         $this->storage = $this->createPartialMock(
-            \Magento\Framework\Session\Storage::class,
+            Storage::class,
             ['getUser', 'getAcl', 'setAcl']
         );
         $this->sessionConfig = $this->createPartialMock(
             \Magento\Framework\Session\Config::class,
-            ['getCookiePath', 'getCookieDomain', 'getCookieSecure', 'getCookieHttpOnly']
+            [
+                'getCookiePath',
+                'getCookieDomain',
+                'getCookieSecure',
+                'getCookieHttpOnly',
+                'getCookieSameSite'
+            ]
         );
-        $this->aclBuilder = $this->getMockBuilder(\Magento\Framework\Acl\Builder::class)
+        $this->aclBuilder = $this->getMockBuilder(Builder::class)
             ->disableOriginalConstructor()
             ->getMock();
         $objectManager = new ObjectManager($this);
         $this->session = $objectManager->getObject(
-            \Magento\Backend\Model\Auth\Session::class,
+            Session::class,
             [
                 'config' => $this->config,
                 'sessionConfig' => $this->sessionConfig,
@@ -90,7 +109,7 @@ protected function setUp()
         );
     }
 
-    protected function tearDown()
+    protected function tearDown(): void
     {
         $this->config = null;
         $this->sessionConfig = null;
@@ -103,9 +122,11 @@ protected function tearDown()
      */
     public function testRefreshAcl($isUserPassedViaParams)
     {
-        $aclMock = $this->getMockBuilder(\Magento\Framework\Acl::class)->disableOriginalConstructor()->getMock();
+        $aclMock = $this->getMockBuilder(Acl::class)
+            ->disableOriginalConstructor()
+            ->getMock();
         $this->aclBuilder->expects($this->any())->method('getAcl')->willReturn($aclMock);
-        $userMock = $this->getMockBuilder(\Magento\User\Model\User::class)
+        $userMock = $this->getMockBuilder(User::class)
             ->setMethods(['getReloadAclFlag', 'setReloadAclFlag', 'unsetData', 'save'])
             ->disableOriginalConstructor()
             ->getMock();
@@ -136,14 +157,14 @@ public function refreshAclDataProvider()
 
     public function testIsLoggedInPositive()
     {
-        $user = $this->createPartialMock(\Magento\User\Model\User::class, ['getId', '__wakeup']);
+        $user = $this->createPartialMock(User::class, ['getId', '__wakeup']);
         $user->expects($this->once())
             ->method('getId')
-            ->will($this->returnValue(1));
+            ->willReturn(1);
 
         $this->storage->expects($this->any())
             ->method('getUser')
-            ->will($this->returnValue($user));
+            ->willReturn($user);
 
         $this->assertTrue($this->session->isLoggedIn());
     }
@@ -160,54 +181,55 @@ public function testProlong()
 
         $this->config->expects($this->once())
             ->method('getValue')
-            ->with(\Magento\Backend\Model\Auth\Session::XML_PATH_SESSION_LIFETIME)
+            ->with(Session::XML_PATH_SESSION_LIFETIME)
             ->willReturn($lifetime);
-        $cookieMetadata = $this->createMock(\Magento\Framework\Stdlib\Cookie\PublicCookieMetadata::class);
+        $cookieMetadata = $this->createMock(PublicCookieMetadata::class);
         $cookieMetadata->expects($this->once())
             ->method('setDuration')
-            ->with($lifetime)
-            ->will($this->returnSelf());
+            ->with($lifetime)->willReturnSelf();
         $cookieMetadata->expects($this->once())
             ->method('setPath')
-            ->with($path)
-            ->will($this->returnSelf());
+            ->with($path)->willReturnSelf();
         $cookieMetadata->expects($this->once())
             ->method('setDomain')
-            ->with($domain)
-            ->will($this->returnSelf());
+            ->with($domain)->willReturnSelf();
         $cookieMetadata->expects($this->once())
             ->method('setSecure')
-            ->with($secure)
-            ->will($this->returnSelf());
+            ->with($secure)->willReturnSelf();
         $cookieMetadata->expects($this->once())
             ->method('setHttpOnly')
-            ->with($httpOnly)
-            ->will($this->returnSelf());
+            ->with($httpOnly)->willReturnSelf();
+        $cookieMetadata->expects($this->once())
+            ->method('setSameSite')
+            ->willReturnSelf();
 
         $this->cookieMetadataFactory->expects($this->once())
             ->method('createPublicCookieMetadata')
-            ->will($this->returnValue($cookieMetadata));
+            ->willReturn($cookieMetadata);
 
         $this->cookieManager->expects($this->once())
             ->method('getCookie')
             ->with($name)
-            ->will($this->returnValue($cookie));
+            ->willReturn($cookie);
         $this->cookieManager->expects($this->once())
             ->method('setPublicCookie')
             ->with($name, $cookie, $cookieMetadata);
 
         $this->sessionConfig->expects($this->once())
             ->method('getCookiePath')
-            ->will($this->returnValue($path));
+            ->willReturn($path);
         $this->sessionConfig->expects($this->once())
             ->method('getCookieDomain')
-            ->will($this->returnValue($domain));
+            ->willReturn($domain);
         $this->sessionConfig->expects($this->once())
             ->method('getCookieSecure')
-            ->will($this->returnValue($secure));
+            ->willReturn($secure);
         $this->sessionConfig->expects($this->once())
             ->method('getCookieHttpOnly')
-            ->will($this->returnValue($httpOnly));
+            ->willReturn($httpOnly);
+        $this->sessionConfig->expects($this->once())
+            ->method('getCookieSameSite')
+            ->willReturn('Lax');
 
         $this->session->prolong();
 
@@ -225,15 +247,21 @@ public function testIsAllowed($isUserDefined, $isAclDefined, $isAllowed, $expect
     {
         $userAclRole = 'userAclRole';
         if ($isAclDefined) {
-            $aclMock = $this->getMockBuilder(\Magento\Framework\Acl::class)->disableOriginalConstructor()->getMock();
+            $aclMock = $this->getMockBuilder(Acl::class)
+                ->disableOriginalConstructor()
+                ->getMock();
             $this->storage->expects($this->any())->method('getAcl')->willReturn($aclMock);
         }
         if ($isUserDefined) {
-            $userMock = $this->getMockBuilder(\Magento\User\Model\User::class)->disableOriginalConstructor()->getMock();
+            $userMock = $this->getMockBuilder(User::class)
+                ->disableOriginalConstructor()
+                ->getMock();
             $this->storage->expects($this->once())->method('getUser')->willReturn($userMock);
         }
         if ($isAclDefined && $isUserDefined) {
+            // phpstan:ignore
             $userMock->expects($this->any())->method('getAclRole')->willReturn($userAclRole);
+            // phpstan:ignore
             $aclMock->expects($this->once())->method('isAllowed')->with($userAclRole)->willReturn($isAllowed);
         }
 

dev/tests/integration/testsuite/Magento/Framework/Session/ConfigTest.php

@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 // @codingStandardsIgnoreStart
 namespace {
     $mockPHPFunctions = false;
@@ -34,6 +35,7 @@ function ini_get($varName)
         } elseif ($mockPHPFunctions == 2) {
             return null;
         }
+        //phpcs:ignore PHPCompatibility
         return call_user_func_array('\ini_get', func_get_args());
     }
 
@@ -181,7 +183,7 @@ public function testSettingInvalidCookieLifetime()
             $model->setCookieLifetime('foobar_bogus');
             $this->assertEquals($preVal, $model->getCookieLifetime());
         }
-      
+
         public function testSettingInvalidCookieLifetime2()
         {
             $model = $this->getModel();
@@ -375,5 +377,18 @@ private function getModel(): \Magento\Framework\Session\Config
                 ['deploymentConfig' => $this->deploymentConfigMock]
             );
         }
+
+        /**
+         * Test Set SameSite Attribute
+         *
+         * @return void
+         */
+        public function testSetCookieInvalidSameSite(): void
+        {
+            $model = $this->getModel();
+            $this->expectException('InvalidArgumentException');
+            $this->expectExceptionMessage('Invalid Samesite attribute.');
+            $model->setCookieSameSite('foobar');
+        }
     }
 }

lib/internal/Magento/Framework/Session/Config.php

@@ -5,12 +5,15 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Framework\Session;
 
 use Magento\Framework\App\DeploymentConfig;
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\Filesystem;
 use Magento\Framework\Session\Config\ConfigInterface;
+use Magento\Framework\Session\Config\Validator\CookieSameSiteValidator;
 
 /**
  * Magento session configuration
@@ -208,6 +211,7 @@ public function __construct(
         $unsecureURL = $this->_scopeConfig->getValue('web/unsecure/base_url', $this->_scopeType);
         $isFullySecuredURL = $secureURL == $unsecureURL;
         $this->setCookieSecure($isFullySecuredURL && $this->_httpRequest->isSecure());
+        $this->setCookieSameSite('Lax');
     }
 
     /**
@@ -572,4 +576,36 @@ public function __call($method, $args)
             throw new \BadMethodCallException(sprintf('Method "%s" does not exist in %s', $method, get_class($this)));
         }
     }
+
+    /**
+     * Set session.cookie_samesite
+     *
+     * @param string $cookieSameSite
+     * @return $this
+     */
+    public function setCookieSameSite(string $cookieSameSite = 'Lax'): ConfigInterface
+    {
+        $validator = $this->_validatorFactory->create(
+            [],
+            CookieSameSiteValidator::class
+        );
+        if (!$validator->isValid($cookieSameSite) ||
+            !$this->getCookieSecure() && strtolower($cookieSameSite) === 'none') {
+            throw new \InvalidArgumentException(
+                'Invalid Samesite attribute.'
+            );
+        }
+        $this->setOption('session.cookie_samesite', $cookieSameSite);
+        return $this;
+    }
+
+    /**
+     * Get session.cookie_samesite
+     *
+     * @return string
+     */
+    public function getCookieSameSite(): string
+    {
+        return (string)$this->getOption('session.cookie_samesite');
+    }
 }