AC-1619: Integration access tokens do not work as Bearer tokens

nathanjosiah · nathanjosiah · commit ae8fafc6990d · 2021-12-07T19:32:26.000-06:00
diff --git a/app/code/Magento/Analytics/Plugin/BearerTokenValidatorPlugin.php b/app/code/Magento/Analytics/Plugin/BearerTokenValidatorPlugin.php
@@ -0,0 +1,49 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Analytics\Plugin;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Integration\Model\Integration;
+use Magento\Integration\Model\Validator\BearerTokenValidator;
+
+/**
+ * Overrides authorization config to always allow analytics token to be used as bearer
+ */
+class BearerTokenValidatorPlugin
+{
+    /**
+     * @var ScopeConfigInterface
+     */
+    private ScopeConfigInterface $config;
+
+    /**
+     * @param ScopeConfigInterface $config
+     */
+    public function __construct(ScopeConfigInterface $config)
+    {
+        $this->config = $config;
+    }
+
+    /***
+     * Always allow access token for analytics to be used as bearer
+     *
+     * @param BearerTokenValidator $subject
+     * @param bool $result
+     * @param Integration $integration
+     * @return bool
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterIsIntegrationAllowedToAsBearerToken(
+        BearerTokenValidator $subject,
+        bool $result,
+        Integration $integration
+    ): bool {
+        return $result || $integration->getName() === $this->config->getValue('analytics/integration_name');
+    }
+}
diff --git a/app/code/Magento/Analytics/Test/Unit/Plugin/BearerTokenValidatorPluginTest.php b/app/code/Magento/Analytics/Test/Unit/Plugin/BearerTokenValidatorPluginTest.php
@@ -0,0 +1,72 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Analytics\Test\Unit\Plugin;
+
+use Magento\Analytics\Plugin\BearerTokenValidatorPlugin;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Integration\Model\Integration;
+use Magento\Integration\Model\Validator\BearerTokenValidator;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+class BearerTokenValidatorPluginTest extends TestCase
+{
+    /**
+     * @var BearerTokenValidatorPlugin
+     */
+    private BearerTokenValidatorPlugin $plugin;
+
+    /**
+     * @var BearerTokenValidator|MockObject
+     */
+    private $validator;
+
+    public function setUp(): void
+    {
+        $config = $this->createMock(ScopeConfigInterface::class);
+        $config->method('getValue')
+            ->with('analytics/integration_name')
+            ->willReturn('abc');
+        $this->plugin = new BearerTokenValidatorPlugin($config);
+        $this->validator = $this->createMock(BearerTokenValidator::class);
+    }
+
+    public function testTrueIsPassedThrough()
+    {
+        $integration = $this->createMock(Integration::class);
+        $integration->method('__call')
+            ->with('getName')
+            ->willReturn('invalid');
+
+        $result = $this->plugin->afterIsIntegrationAllowedToAsBearerToken($this->validator, true, $integration);
+        self::assertTrue($result);
+    }
+
+    public function testFalseWhenIntegrationDoesntMatch()
+    {
+        $integration = $this->createMock(Integration::class);
+        $integration->method('__call')
+            ->with('getName')
+            ->willReturn('invalid');
+
+        $result = $this->plugin->afterIsIntegrationAllowedToAsBearerToken($this->validator, false, $integration);
+        self::assertFalse($result);
+    }
+
+    public function testTrueWhenIntegrationMatches()
+    {
+        $integration = $this->createMock(Integration::class);
+        $integration->method('__call')
+            ->with('getName')
+            ->willReturn('abc');
+
+        $result = $this->plugin->afterIsIntegrationAllowedToAsBearerToken($this->validator, true, $integration);
+        self::assertTrue($result);
+    }
+}
diff --git a/app/code/Magento/Analytics/etc/di.xml b/app/code/Magento/Analytics/etc/di.xml
@@ -271,4 +271,7 @@
             <argument name="connectionFactory" xsi:type="object">Magento\Framework\Model\ResourceModel\Type\Db\ConnectionFactory</argument>
         </arguments>
     </type>
+    <type name="Magento\Integration\Model\Validator\BearerTokenValidator">
+        <plugin name="allow_bearer_token" type="Magento\Analytics\Plugin\BearerTokenValidatorPlugin"/>
+    </type>
 </config>
diff --git a/app/code/Magento/Integration/Model/Config/AuthorizationConfig.php b/app/code/Magento/Integration/Model/Config/AuthorizationConfig.php
@@ -24,7 +24,7 @@ class AuthorizationConfig
     /**
      * @var ScopeConfigInterface
      */
-    private $scopeConfig;
+    private ScopeConfigInterface $scopeConfig;
 
     /**
      * @param ScopeConfigInterface $scopeConfig
diff --git a/app/code/Magento/Integration/Model/OpaqueToken/Reader.php b/app/code/Magento/Integration/Model/OpaqueToken/Reader.php
@@ -8,6 +8,7 @@
 
 namespace Magento\Integration\Model\OpaqueToken;
 
+use Magento\Authorization\Model\UserContextInterface;
 use Magento\Framework\App\ObjectManager;
 use Magento\Integration\Api\Data\UserToken;
 use Magento\Integration\Api\Exception\UserTokenException;
@@ -18,6 +19,7 @@
 use Magento\Integration\Model\Oauth\Token;
 use Magento\Integration\Model\Oauth\TokenFactory;
 use Magento\Integration\Helper\Oauth\Data as OauthHelper;
+use Magento\Integration\Model\Validator\BearerTokenValidator;
 
 /**
  * Reads user token data
@@ -37,33 +39,33 @@ class Reader implements UserTokenReaderInterface
     private $helper;
 
     /**
-     * @var AuthorizationConfig
+     * @var IntegrationServiceInterface
      */
-    private $authorizationConfig;
+    private IntegrationServiceInterface $integrationService;
 
     /**
-     * @var IntegrationServiceInterface
+     * @var BearerTokenValidator
      */
-    private IntegrationServiceInterface $integrationService;
+    private BearerTokenValidator $bearerTokenValidator;
 
     /**
      * @param TokenFactory $tokenFactory
      * @param OauthHelper $helper
-     * @param AuthorizationConfig|null $authorizationConfig
      * @param IntegrationServiceInterface|null $integrationService
+     * @param BearerTokenValidator|null $bearerTokenValidator
      */
     public function __construct(
         TokenFactory $tokenFactory,
         OauthHelper $helper,
-        ?AuthorizationConfig $authorizationConfig = null,
-        ?IntegrationServiceInterface $integrationService = null
+        ?IntegrationServiceInterface $integrationService = null,
+        ?BearerTokenValidator $bearerTokenValidator = null
     ) {
         $this->tokenFactory = $tokenFactory;
         $this->helper = $helper;
-        $this->authorizationConfig = $authorizationConfig ?? ObjectManager::getInstance()
-            ->get(AuthorizationConfig::class);
         $this->integrationService = $integrationService ?? ObjectManager::getInstance()
             ->get(IntegrationServiceInterface::class);
+        $this->bearerTokenValidator = $bearerTokenValidator ?? ObjectManager::getInstance()
+            ->get(BearerTokenValidator::class);
     }
 
     /**
@@ -118,12 +120,9 @@ private function getTokenModel(string $token): Token
      */
     private function validateUserType(int $userType): void
     {
-        if ($userType === CustomUserContext::USER_TYPE_INTEGRATION) {
-            if (!$this->authorizationConfig->isIntegrationAsBearerEnabled()) {
-                throw new UserTokenException('Invalid token found');
-            }
-        } elseif ($userType !== CustomUserContext::USER_TYPE_ADMIN
+        if ($userType !== CustomUserContext::USER_TYPE_ADMIN
             && $userType !== CustomUserContext::USER_TYPE_CUSTOMER
+            && $userType !== CustomUserContext::USER_TYPE_INTEGRATION
         ) {
             throw new UserTokenException('Invalid token found');
         }
@@ -138,11 +137,15 @@ private function validateUserType(int $userType): void
     private function getUserId(Token $tokenModel): int
     {
         $userType = (int)$tokenModel->getUserType();
+        $userId = null;
 
         if ($userType === CustomUserContext::USER_TYPE_ADMIN) {
             $userId = $tokenModel->getAdminId();
         } elseif ($userType === CustomUserContext::USER_TYPE_INTEGRATION) {
-            $userId = $this->integrationService->findByConsumerId($tokenModel->getConsumerId())->getId();
+            $integration = $this->integrationService->findByConsumerId($tokenModel->getConsumerId());
+            if ($this->bearerTokenValidator->isIntegrationAllowedToAsBearerToken($integration)) {
+                $userId = $integration->getId();
+            }
         } else {
             $userId = $tokenModel->getCustomerId();
         }
diff --git a/app/code/Magento/Integration/Model/Validator/BearerTokenValidator.php b/app/code/Magento/Integration/Model/Validator/BearerTokenValidator.php
@@ -0,0 +1,43 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Model\Validator;
+
+use Magento\Integration\Model\Config\AuthorizationConfig;
+use Magento\Integration\Model\Integration;
+
+/**
+ * Validate if an integration use the access token as a bearer token
+ */
+class BearerTokenValidator
+{
+    /**
+     * @var AuthorizationConfig
+     */
+    private AuthorizationConfig $authorizationConfig;
+
+    /**
+     * @param AuthorizationConfig $authorizationConfig
+     */
+    public function __construct(AuthorizationConfig $authorizationConfig)
+    {
+        $this->authorizationConfig = $authorizationConfig;
+    }
+
+    /**
+     * Validate an integration's access token can be used as a standalone bearer token
+     *
+     * @param Integration $integration
+     * @return bool
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function isIntegrationAllowedToAsBearerToken(Integration $integration): bool
+    {
+        return $this->authorizationConfig->isIntegrationAsBearerEnabled();
+    }
+}
diff --git a/app/code/Magento/Webapi/Model/Authorization/SoapUserContext.php b/app/code/Magento/Webapi/Model/Authorization/SoapUserContext.php
@@ -8,14 +8,11 @@
 
 use Magento\Authorization\Model\UserContextInterface;
 use Magento\Framework\App\ObjectManager;
-use Magento\Integration\Model\Config\AuthorizationConfig;
 use Magento\Integration\Model\Oauth\Token;
 use Magento\Integration\Model\Oauth\TokenFactory;
 use Magento\Integration\Api\IntegrationServiceInterface;
 use Magento\Framework\Webapi\Request;
-use Magento\Framework\Stdlib\DateTime\DateTime as Date;
-use Magento\Framework\Stdlib\DateTime;
-use Magento\Integration\Helper\Oauth\Data as OauthHelper;
+use Magento\Integration\Model\Validator\BearerTokenValidator;
 
 /**
  * SOAP specific user context based on opaque tokens.
@@ -50,32 +47,32 @@ class SoapUserContext implements UserContextInterface
     /**
      * @var IntegrationServiceInterface
      */
-    private $integrationService;
+    private IntegrationServiceInterface $integrationService;
 
     /**
-     * @var AuthorizationConfig
+     * @var BearerTokenValidator
      */
-    private $authorizationConfig;
+    private BearerTokenValidator $bearerTokenValidator;
 
     /**
      * Initialize dependencies.
      *
      * @param Request $request
      * @param TokenFactory $tokenFactory
      * @param IntegrationServiceInterface $integrationService
-     * @param AuthorizationConfig|null $authorizationConfig
+     * @param BearerTokenValidator|null $bearerTokenValidator
      */
     public function __construct(
         Request $request,
         TokenFactory $tokenFactory,
         IntegrationServiceInterface $integrationService,
-        ?AuthorizationConfig $authorizationConfig = null
+        ?BearerTokenValidator $bearerTokenValidator = null
     ) {
         $this->request = $request;
         $this->tokenFactory = $tokenFactory;
         $this->integrationService = $integrationService;
-        $this->authorizationConfig = $authorizationConfig ?? ObjectManager::getInstance()
-                ->get(AuthorizationConfig::class);
+        $this->bearerTokenValidator = $bearerTokenValidator ?? ObjectManager::getInstance()
+            ->get(BearerTokenValidator::class);
     }
 
     /**
@@ -117,7 +114,7 @@ private function processRequest() //phpcs:ignore CopyPaste
             return;
         }
         $tokenType = strtolower($headerPieces[0]);
-        if ($tokenType !== 'bearer' || !$this->authorizationConfig->isIntegrationAsBearerEnabled()) {
+        if ($tokenType !== 'bearer') {
             $this->isRequestProcessed = true;
             return;
         }
@@ -131,8 +128,11 @@ private function processRequest() //phpcs:ignore CopyPaste
             return;
         }
         if (((int) $token->getUserType()) === UserContextInterface::USER_TYPE_INTEGRATION) {
-            $this->userId = $this->integrationService->findByConsumerId($token->getConsumerId())->getId();
-            $this->userType = UserContextInterface::USER_TYPE_INTEGRATION;
+            $integration = $this->integrationService->findByConsumerId($token->getConsumerId());
+            if ($this->bearerTokenValidator->isIntegrationAllowedToAsBearerToken($integration)) {
+                $this->userId = $integration->getId();
+                $this->userType = UserContextInterface::USER_TYPE_INTEGRATION;
+            }
         }
         $this->isRequestProcessed = true;
     }
