magento
diff --git a/‎dev/tests/api-functional/testsuite/Magento/Integration/Model/AdminTokenServiceTest.php
Lines changed: 144 additions & 14 deletions b/‎dev/tests/api-functional/testsuite/Magento/Integration/Model/AdminTokenServiceTest.php
Lines changed: 144 additions & 14 deletions
@@ -12,6 +12,7 @@
 use Magento\TestFramework\TestCase\WebapiAbstract;
 use Magento\User\Model\User as UserModel;
 use Magento\Framework\Webapi\Exception as HTTPExceptionCodes;
+use Magento\Integration\Model\Oauth\Token\RequestLog\Config as TokenThrottlerConfig;
 
 /**
  * api-functional test for \Magento\Integration\Model\AdminTokenService.
@@ -21,7 +22,6 @@ class AdminTokenServiceTest extends WebapiAbstract
     const SERVICE_NAME = "integrationAdminTokenServiceV1";
     const SERVICE_VERSION = "V1";
     const RESOURCE_PATH_ADMIN_TOKEN = "/V1/integration/admin/token";
-    const RESOURCE_PATH_CUSTOMER_TOKEN = "/V1/integration/customer/token";
 
     /**
      * @var \Magento\Integration\Api\AdminTokenServiceInterface
@@ -38,6 +38,11 @@ class AdminTokenServiceTest extends WebapiAbstract
      */
     private $userModel;
 
+    /**
+     * @var int
+     */
+    private $attemptsCountToLockAccount;
+
     /**
      * Setup AdminTokenService
      */
@@ -47,6 +52,9 @@ public function setUp()
         $this->tokenService = Bootstrap::getObjectManager()->get('Magento\Integration\Model\AdminTokenService');
         $this->tokenModel = Bootstrap::getObjectManager()->get('Magento\Integration\Model\Oauth\Token');
         $this->userModel = Bootstrap::getObjectManager()->get('Magento\User\Model\User');
+        /** @var TokenThrottlerConfig $tokenThrottlerConfig */
+        $tokenThrottlerConfig = Bootstrap::getObjectManager()->get(TokenThrottlerConfig::class);
+        $this->attemptsCountToLockAccount = $tokenThrottlerConfig->getMaxFailuresCount();
     }
 
     /**
@@ -67,20 +75,15 @@ public function testCreateAdminAccessToken()
             'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD,
         ];
         $accessToken = $this->_webApiCall($serviceInfo, $requestData);
-
-        $adminUserId = $this->userModel->loadByUsername($adminUserNameFromFixture)->getId();
-        /** @var $token TokenModel */
-        $token = $this->tokenModel
-            ->loadByAdminId($adminUserId)
-            ->getToken();
-        $this->assertEquals($accessToken, $token);
+        $this->assertToken($adminUserNameFromFixture, $accessToken);
     }
 
     /**
      * @dataProvider validationDataProvider
      */
     public function testCreateAdminAccessTokenEmptyOrNullCredentials()
     {
+        $noExceptionOccurred = false;
         try {
             $serviceInfo = [
                 'rest' => [
@@ -90,30 +93,36 @@ public function testCreateAdminAccessTokenEmptyOrNullCredentials()
             ];
             $requestData = ['username' => '', 'password' => ''];
             $this->_webApiCall($serviceInfo, $requestData);
+            $noExceptionOccurred = true;
         } catch (\Exception $e) {
             $this->assertInputExceptionMessages($e);
         }
+        if ($noExceptionOccurred) {
+            $this->fail("Exception was expected to be thrown when provided credentials are invalid.");
+        }
     }
 
-    public function testCreateAdminAccessTokenInvalidCustomer()
+    public function testCreateAdminAccessTokenInvalidCredentials()
     {
         $customerUserName = 'invalid';
         $password = 'invalid';
+        $noExceptionOccurred = false;
         try {
             $serviceInfo = [
                 'rest' => [
-                    'resourcePath' => self::RESOURCE_PATH_CUSTOMER_TOKEN,
+                    'resourcePath' => self::RESOURCE_PATH_ADMIN_TOKEN,
                     'httpMethod' => \Magento\Framework\Webapi\Rest\Request::HTTP_METHOD_POST,
                 ],
             ];
             $requestData = ['username' => $customerUserName, 'password' => $password];
             $this->_webApiCall($serviceInfo, $requestData);
+            $noExceptionOccurred = true;
         } catch (\Exception $e) {
-            $this->assertEquals(HTTPExceptionCodes::HTTP_UNAUTHORIZED, $e->getCode());
-            $exceptionData = $this->processRestExceptionResult($e);
-            $expectedExceptionData = ['message' => 'Invalid login or password.'];
+            $this->assertInvalidCredentialsException($e);
+        }
+        if ($noExceptionOccurred) {
+            $this->fail("Exception was expected to be thrown when provided credentials are invalid.");
         }
-        $this->assertEquals($expectedExceptionData, $exceptionData);
     }
 
     /**
@@ -129,6 +138,96 @@ public function validationDataProvider()
         ];
     }
 
+    /**
+     * @magentoApiDataFixture Magento/User/_files/user_with_role.php
+     */
+    public function testThrottlingMaxAttempts()
+    {
+        $adminUserNameFromFixture = 'adminUser';
+
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => self::RESOURCE_PATH_ADMIN_TOKEN,
+                'httpMethod' => \Magento\Framework\Webapi\Rest\Request::HTTP_METHOD_POST,
+            ],
+        ];
+        $invalidCredentials = [
+            'username' => $adminUserNameFromFixture,
+            'password' => 'invalid',
+        ];
+        $validCredentials = [
+            'username' => $adminUserNameFromFixture,
+            'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD,
+        ];
+
+        /* Try to get token using invalid credentials for 5 times (account is locked after 6 attempts) */
+        $noExceptionOccurred = false;
+        for ($i = 0; $i < ($this->attemptsCountToLockAccount - 1); $i++) {
+            try {
+                $this->_webApiCall($serviceInfo, $invalidCredentials);
+                $noExceptionOccurred = true;
+            } catch (\Exception $e) {
+            }
+        }
+        if ($noExceptionOccurred) {
+            $this->fail(
+                "Precondition failed: exception should have occurred when token was requested with invalid credentials."
+            );
+        }
+
+        /** On 6th attempt it still should be possible to get token if valid credentials are specified */
+        $accessToken = $this->_webApiCall($serviceInfo, $validCredentials);
+        $this->assertToken($adminUserNameFromFixture, $accessToken);
+    }
+
+    /**
+     * @magentoApiDataFixture Magento/User/_files/user_with_role.php
+     */
+    public function testThrottlingAccountLockout()
+    {
+        $adminUserNameFromFixture = 'adminUser';
+
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => self::RESOURCE_PATH_ADMIN_TOKEN,
+                'httpMethod' => \Magento\Framework\Webapi\Rest\Request::HTTP_METHOD_POST,
+            ],
+        ];
+        $invalidCredentials = [
+            'username' => $adminUserNameFromFixture,
+            'password' => 'invalid',
+        ];
+        $validCredentials = [
+            'username' => $adminUserNameFromFixture,
+            'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD,
+        ];
+
+        /* Try to get token using invalid credentials for 5 times (account would be locked after 6 attempts) */
+        $noExceptionOccurred = false;
+        for ($i = 0; $i < $this->attemptsCountToLockAccount; $i++) {
+            try {
+                $this->_webApiCall($serviceInfo, $invalidCredentials);
+                $noExceptionOccurred = true;
+            } catch (\Exception $e) {
+                $this->assertInvalidCredentialsException($e);
+            }
+            if ($noExceptionOccurred) {
+                $this->fail("Exception was expected to be thrown when provided credentials are invalid.");
+            }
+        }
+
+        $noExceptionOccurred = false;
+        try {
+            $this->_webApiCall($serviceInfo, $validCredentials);
+            $noExceptionOccurred = true;
+        } catch (\Exception $e) {
+            $this->assertInvalidCredentialsException($e);
+        }
+        if ($noExceptionOccurred) {
+            $this->fail("Exception was expected to be thrown because account should have been locked at this point.");
+        }
+    }
+
     /**
      * Assert for presence of Input exception messages
      *
@@ -157,4 +256,35 @@ private function assertInputExceptionMessages($e)
         ];
         $this->assertEquals($expectedExceptionData, $exceptionData);
     }
+
+    /**
+     * Make sure that status code and message are correct in case of authentication failure.
+     *
+     * @param \Exception $e
+     */
+    private function assertInvalidCredentialsException($e)
+    {
+        $this->assertEquals(HTTPExceptionCodes::HTTP_UNAUTHORIZED, $e->getCode(), "Response HTTP code is invalid.");
+        $exceptionData = $this->processRestExceptionResult($e);
+        $expectedExceptionData = [
+            'message' => 'You did not sign in correctly or your account is temporarily disabled.'
+        ];
+        $this->assertEquals($expectedExceptionData, $exceptionData, "Exception message is invalid.");
+    }
+
+    /**
+     * Make sure provided token is valid and belongs to the specified user.
+     *
+     * @param string $username
+     * @param string $accessToken
+     */
+    private function assertToken($username, $accessToken)
+    {
+        $adminUserId = $this->userModel->loadByUsername($username)->getId();
+        /** @var $token TokenModel */
+        $token = $this->tokenModel
+            ->loadByAdminId($adminUserId)
+            ->getToken();
+        $this->assertEquals($accessToken, $token);
+    }
 }