ACP2E-2969: REST API unable to make requests with slash (/) in SKU when using Oauth1

aplapana · aplapana · commit c76716f09c16 · 2024-07-02T14:03:28.000+03:00
diff --git a/dev/tests/api-functional/framework/Magento/TestFramework/Authentication/Rest/OauthClient.php b/dev/tests/api-functional/framework/Magento/TestFramework/Authentication/Rest/OauthClient.php
@@ -8,6 +8,7 @@
 
 use Magento\Framework\Oauth\Helper\Utility;
 use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\ObjectManager;
 use OAuth\Common\Consumer\Credentials;
 use OAuth\Common\Http\Client\ClientInterface;
 use OAuth\Common\Http\Exception\TokenResponseException;
@@ -19,7 +20,7 @@
 use OAuth\OAuth1\Token\StdOAuth1Token;
 use OAuth\OAuth1\Token\TokenInterface;
 use Laminas\OAuth\Http\Utility as HTTPUtility;
-use Magento\Framework\Oauth\Helper\Signature\Hmac256;
+use Magento\Framework\Oauth\Helper\Signature\HmacFactory;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -58,7 +59,7 @@ public function __construct(
             $storage = new \OAuth\Common\Storage\Memory();
         }
         if (!isset($helper)) {
-            $helper = new Utility(new HTTPUtility(), new Hmac256());
+            $helper = new Utility(new HTTPUtility(), new HmacFactory(ObjectManager::getInstance()));
         }
         if (!isset($signature)) {
             $signature = new \Magento\TestFramework\Authentication\Rest\OauthClient\Signature($helper, $credentials);
diff --git a/lib/internal/Magento/Framework/Oauth/Helper/Signature/Hmac.php b/lib/internal/Magento/Framework/Oauth/Helper/Signature/Hmac.php
@@ -9,32 +9,63 @@
 
 use Laminas\Crypt\Hmac as HMACEncryption;
 
-class Hmac256
+class Hmac
 {
+    /**
+     * @var string|null
+     */
+    private ?string $hashAlgorithm = null;
+
+    /**
+     * @var string
+     */
+    private string $key;
+
+    /**
+     * @var string
+     */
+    private string $consumerSecret;
+
+    /**
+     * @var string
+     */
+    private string $tokenSecret = '';
+
+    /**
+     * @param string $consumerSecret
+     * @param string|null $tokenSecret
+     * @param string|null $hashAlgo
+     */
+    public function __construct(string $consumerSecret, ?string $tokenSecret = null, ?string $hashAlgo = null)
+    {
+        $this->consumerSecret = $consumerSecret;
+        if (isset($tokenSecret)) {
+            $this->tokenSecret = $tokenSecret;
+        }
+        $this->key = $this->assembleKey();
+        if (isset($hashAlgo)) {
+            $this->hashAlgorithm = $hashAlgo;
+        }
+    }
+
     /**
      * Sign a request
      *
      * @param array $params
-     * @param string $algo
-     * @param string $consumerSecret
-     * @param string|null $tokenSecret
      * @param mixed $method
      * @param mixed $url
      * @return string
      */
     public function sign(
         array   $params,
-        string  $algo,
-        string  $consumerSecret,
-        ?string $tokenSecret = null,
         ?string $method = null,
         ?string $url = null
     ): string {
         unset($params['oauth_signature']);
 
         $binaryHash = HMACEncryption::compute(
-            $this->assembleKey($consumerSecret, $tokenSecret),
-            $algo,
+            $this->key,
+            $this->hashAlgorithm,
             $this->getBaseSignatureString($params, $method, $url),
             HMACEncryption::OUTPUT_BINARY
         );
@@ -45,20 +76,17 @@ public function sign(
     /**
      * Assemble key from consumer and token secrets
      *
-     * @param string $consumerSecret
-     * @param string|null $tokenSecret
      * @return string
      */
-    private function assembleKey(string $consumerSecret, ?string $tokenSecret): string
+    private function assembleKey(): string
     {
-        $parts = [$consumerSecret];
-        if ($tokenSecret !== null) {
-            $parts[] = $tokenSecret;
+        $parts = [$this->consumerSecret];
+        if ($this->tokenSecret !== null) {
+            $parts[] = $this->tokenSecret;
         }
         foreach ($parts as $key => $secret) {
             $parts[$key] = $this->urlEncode($secret);
         }
-
         return implode('&', $parts);
     }
 
diff --git a/lib/internal/Magento/Framework/Oauth/Helper/Utility.php b/lib/internal/Magento/Framework/Oauth/Helper/Utility.php
@@ -8,15 +8,16 @@
 namespace Magento\Framework\Oauth\Helper;
 
 use Laminas\OAuth\Http\Utility as LaminasUtility;
-use Magento\Framework\Oauth\Helper\Signature\Hmac256;
+use Magento\Framework\Oauth\Helper\Signature\Hmac;
+use Magento\Framework\Oauth\Helper\Signature\HmacFactory;
 
 class Utility
 {
     /**
      * @param LaminasUtility $httpUtility
-     * @param Hmac256 $hmac256
+     * @param HmacFactory $hmacFactory
      */
-    public function __construct(private readonly LaminasUtility $httpUtility, private readonly Hmac256 $hmac256)
+    public function __construct(private readonly LaminasUtility $httpUtility, private readonly HmacFactory $hmacFactory)
     {
     }
 
@@ -40,7 +41,10 @@ public function sign(
         ?string $url = null
     ): string {
         if ($this->isHmac256($signatureMethod)) {
-            return $this->hmac256->sign($params, 'sha256', $consumerSecret, $tokenSecret, $method, $url);
+            /** @var Hmac $hmac */
+            $hmac = $this->hmacFactory->create(['consumerSecret' => $consumerSecret, 'tokenSecret' => $tokenSecret, 'hashAlgo' => 'sha256']);
+
+            return $hmac->sign($params, $method, $url);
         } else {
             return $this->httpUtility->sign($params, $signatureMethod, $consumerSecret, $tokenSecret, $method, $url);
         }
@@ -65,22 +69,12 @@ private function isHmac256(string $signatureMethod): bool
      * Cast to authorization header
      *
      * @param array $params
+     * @param string|null $realm
      * @param bool $excludeCustomParams
-     * @return string
      */
-    public function toAuthorizationHeader(array $params, bool $excludeCustomParams = true): string
+    public function toAuthorizationHeader(array $params, ?string $realm = null, bool $excludeCustomParams = true)
     {
-        $headerValue = [];
-        foreach ($params as $key => $value) {
-            if ($excludeCustomParams) {
-                if (! preg_match("/^oauth_/", $key)) {
-                    continue;
-                }
-            }
-            $headerValue[] = $this->httpUtility::urlEncode((string)$key)
-                . '="'
-                . $this->httpUtility::urlEncode((string)$value) . '"';
-        }
-        return 'OAuth ' . implode(",", $headerValue);
+        $authorizationHeader = $this->httpUtility->toAuthorizationHeader($params, $realm, $excludeCustomParams);
+        return str_replace('realm="",', '', $authorizationHeader);
     }
 }
diff --git a/lib/internal/Magento/Framework/Oauth/Oauth.php b/lib/internal/Magento/Framework/Oauth/Oauth.php
@@ -34,7 +34,7 @@ class Oauth implements OauthInterface
     /**
      * @var Utility
      */
-    private Utility $hmacSignatureHelper;
+    private Utility $httpUtility;
 
     /**
      * @param Helper\Oauth $oauthHelper
@@ -51,7 +51,7 @@ public function __construct(
         $this->_oauthHelper = $oauthHelper;
         $this->_nonceGenerator = $nonceGenerator;
         $this->_tokenProvider = $tokenProvider;
-        $this->hmacSignatureHelper = $utility;
+        $this->httpUtility = $utility;
     }
 
     /**
@@ -154,7 +154,7 @@ public function buildAuthorizationHeader(
             'oauth_version' => '1.0',
         ];
         $headerParameters = array_merge($headerParameters, $params);
-        $headerParameters['oauth_signature'] = $this->hmacSignatureHelper->sign(
+        $headerParameters['oauth_signature'] = $this->httpUtility->sign(
             $params,
             $signatureMethod,
             $headerParameters['oauth_consumer_secret'],
@@ -163,7 +163,7 @@ public function buildAuthorizationHeader(
             $requestUrl
         );
 
-        return $this->hmacSignatureHelper->toAuthorizationHeader($headerParameters);
+        return $this->httpUtility->toAuthorizationHeader($headerParameters);
     }
 
     /**
@@ -188,7 +188,7 @@ protected function _validateSignature($params, $consumerSecret, $httpMethod, $re
             );
         }
 
-        $calculatedSign = $this->hmacSignatureHelper->sign(
+        $calculatedSign = $this->httpUtility->sign(
             $params,
             $params['oauth_signature_method'],
             $consumerSecret,
diff --git a/lib/internal/Magento/Framework/Oauth/Test/Unit/Helper/UtilityTest.php b/lib/internal/Magento/Framework/Oauth/Test/Unit/Helper/UtilityTest.php
@@ -9,7 +9,8 @@
 
 use Magento\Framework\Oauth\Helper\Utility as OauthUtility;
 use Laminas\OAuth\Http\Utility as LaminasUtility;
-use Magento\Framework\Oauth\Helper\Signature\Hmac256;
+use Magento\Framework\Oauth\Helper\Signature\Hmac;
+use Magento\Framework\Oauth\Helper\Signature\HmacFactory;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
@@ -21,14 +22,20 @@ class UtilityTest extends TestCase
     private LaminasUtility $httpUtility;
 
     /**
-     * @var Hmac256|MockObject
+     * @var Hmac|MockObject
      */
-    private Hmac256 $hmac256;
+    private Hmac $hmac;
+
+    /**
+     * @var HmacFactory|MockObject
+     */
+    private HmacFactory $hmacFactory;
 
     protected function setUp(): void
     {
         $this->httpUtility = $this->createMock(LaminasUtility::class);
-        $this->hmac256 = $this->createMock(Hmac256::class);
+        $this->hmac = $this->createMock(Hmac::class);
+        $this->hmacFactory = $this->createMock(HmacFactory::class);
     }
 
     /**
@@ -45,12 +52,16 @@ public function testSignMethodUsesHmac256WhenSignatureMethodIsHmacSha256(): void
 
         $expectedSignature = 'expectedSignature';
 
-        $this->hmac256->expects($this->once())
+        $this->hmac->expects($this->once())
             ->method('sign')
-            ->with($params, 'sha256', $consumerSecret, $tokenSecret, $method, $url)
+            ->with($params, $method, $url)
             ->willReturn($expectedSignature);
+        $this->hmacFactory->expects($this->once())
+            ->method('create')
+            ->with(['consumerSecret' => $consumerSecret, 'tokenSecret' => $tokenSecret, 'hashAlgo' => 'sha256'])
+            ->willReturn($this->hmac);
 
-        $utility = new OauthUtility($this->httpUtility, $this->hmac256);
+        $utility = new OauthUtility($this->httpUtility, $this->hmacFactory);
 
         $signature = $utility->sign($params, $signatureMethod, $consumerSecret, $tokenSecret, $method, $url);
 
@@ -76,7 +87,7 @@ public function testSignMethodUsesLaminasUtilityWhenSignatureMethodIsRsa(): void
             ->with($params, $signatureMethod, $consumerSecret, $tokenSecret, $method, $url)
             ->willReturn($expectedSignature);
 
-        $utility = new OauthUtility($this->httpUtility, $this->hmac256);
+        $utility = new OauthUtility($this->httpUtility, $this->hmacFactory);
 
         $signature = $utility->sign($params, $signatureMethod, $consumerSecret, $tokenSecret, $method, $url);
 
