From ca33666514b595432f364bc492c8b4a2c8353679 Mon Sep 17 00:00:00 2001 From: OlgaVasyltsun Date: Fri, 30 Oct 2020 11:38:00 +0200 Subject: [PATCH 01/13] MC-38797: Fix js errors for recaptcha --- .../etc/csp_whitelist.xml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ReCaptchaVersion3Invisible/etc/csp_whitelist.xml diff --git a/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml b/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml new file mode 100644 index 00000000..afae0b67 --- /dev/null +++ b/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml @@ -0,0 +1,17 @@ + + + + + + *.google.com + + + + + *.gstatic.com + *.google.com + + + + + From 0e1e0c48c955e0d40307b81bb393e413f5299fbf Mon Sep 17 00:00:00 2001 From: OlgaVasyltsun Date: Mon, 2 Nov 2020 09:22:30 +0200 Subject: [PATCH 02/13] MC-38797: Fix js errors for recaptcha --- ReCaptchaVersion3Invisible/etc/csp_whitelist.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml b/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml index afae0b67..58ca9185 100644 --- a/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml +++ b/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml @@ -1,4 +1,10 @@ + From c40ce6932b5cb976d8637e1323aa44c83e7704bc Mon Sep 17 00:00:00 2001 From: OlgaVasyltsun Date: Thu, 5 Nov 2020 14:00:06 +0200 Subject: [PATCH 03/13] MC-38797: Fix js errors for recaptcha --- ReCaptchaVersion3Invisible/etc/csp_whitelist.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml b/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml index 58ca9185..8a07aca9 100644 --- a/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml +++ b/ReCaptchaVersion3Invisible/etc/csp_whitelist.xml @@ -9,13 +9,13 @@ - *.google.com + https://www.google.com/recaptcha/ - *.gstatic.com - *.google.com + https://www.gstatic.com/recaptcha/ + https://www.google.com/recaptcha/ From b24392754338d7ad5147e57ad36132fb23202c0c Mon Sep 17 00:00:00 2001 From: OlgaVasyltsun Date: Tue, 10 Nov 2020 10:02:46 +0200 Subject: [PATCH 04/13] MC-38797: Fix js errors for recaptcha --- .../etc/csp_whitelist.xml | 23 +++++++++++++++++++ .../etc/csp_whitelist.xml | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 ReCaptchaVersion2Checkbox/etc/csp_whitelist.xml create mode 100644 ReCaptchaVersion2Invisible/etc/csp_whitelist.xml diff --git a/ReCaptchaVersion2Checkbox/etc/csp_whitelist.xml b/ReCaptchaVersion2Checkbox/etc/csp_whitelist.xml new file mode 100644 index 00000000..8a07aca9 --- /dev/null +++ b/ReCaptchaVersion2Checkbox/etc/csp_whitelist.xml @@ -0,0 +1,23 @@ + + + + + + + https://www.google.com/recaptcha/ + + + + + https://www.gstatic.com/recaptcha/ + https://www.google.com/recaptcha/ + + + + + diff --git a/ReCaptchaVersion2Invisible/etc/csp_whitelist.xml b/ReCaptchaVersion2Invisible/etc/csp_whitelist.xml new file mode 100644 index 00000000..8a07aca9 --- /dev/null +++ b/ReCaptchaVersion2Invisible/etc/csp_whitelist.xml @@ -0,0 +1,23 @@ + + + + + + + https://www.google.com/recaptcha/ + + + + + https://www.gstatic.com/recaptcha/ + https://www.google.com/recaptcha/ + + + + + From a6bf0533da24b7b211f8bd87e555c8fa3472a48a Mon Sep 17 00:00:00 2001 From: Yaroslav Holovanych Date: Thu, 28 Jan 2021 10:55:34 +0200 Subject: [PATCH 05/13] MC-40195: [JetTeam] Unskip AdminUpdateUserTest --- .../Test/Mftf/Test/AdminUpdateUserRoleTest.xml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml diff --git a/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml b/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml new file mode 100644 index 00000000..8c83c3d7 --- /dev/null +++ b/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + From 5d3f3449a24ea1ae50fcb71b9d0df154243cd4a4 Mon Sep 17 00:00:00 2001 From: Stas Kozar Date: Mon, 8 Feb 2021 12:12:57 +0200 Subject: [PATCH 06/13] MC-40692: 2FA Google Authenticator iPhone QR Code compatibility --- TwoFactorAuth/Model/Provider/Engine/Google.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/TwoFactorAuth/Model/Provider/Engine/Google.php b/TwoFactorAuth/Model/Provider/Engine/Google.php index 5762ab0e..882d4ef4 100644 --- a/TwoFactorAuth/Model/Provider/Engine/Google.php +++ b/TwoFactorAuth/Model/Provider/Engine/Google.php @@ -98,7 +98,9 @@ public function __construct( private function generateSecret(): string { $secret = random_bytes(128); - return preg_replace('/[^A-Za-z0-9]/', '', Base32::encode($secret)); + // seed for iOS devices to avoid errors with barcode + $seed = 'abcd'; + return preg_replace('/[^A-Za-z0-9]/', '', Base32::encode($seed . $secret)); } /** From c863b8a19e84503810e6d66959b188e112da78d6 Mon Sep 17 00:00:00 2001 From: Pavel Bystritsky Date: Thu, 11 Feb 2021 14:23:45 +0200 Subject: [PATCH 07/13] magento/magento2#32100: Admin login issue fix. --- ReCaptchaUser/Test/Integration/LoginFormTest.php | 5 +++++ .../Test/Integration/ControllerActionPredispatchTest.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ReCaptchaUser/Test/Integration/LoginFormTest.php b/ReCaptchaUser/Test/Integration/LoginFormTest.php index ea8e7524..f0ff0437 100644 --- a/ReCaptchaUser/Test/Integration/LoginFormTest.php +++ b/ReCaptchaUser/Test/Integration/LoginFormTest.php @@ -179,6 +179,11 @@ private function checkSuccessfulGetResponse($shouldContainReCaptcha = false): vo $this->getRequest()->setUri($this->backendUrl->getUrl('admin')); $this->dispatch('backend/admin/auth/login'); + + if ($this->getResponse()->getHeader('Location')) { + $this->dispatch($this->getResponse()->getHeader('Location')->uri()->getPath()); + } + $content = $this->getResponse()->getBody(); self::assertNotEmpty($content); diff --git a/TwoFactorAuth/Test/Integration/ControllerActionPredispatchTest.php b/TwoFactorAuth/Test/Integration/ControllerActionPredispatchTest.php index a52d473f..f2c27962 100644 --- a/TwoFactorAuth/Test/Integration/ControllerActionPredispatchTest.php +++ b/TwoFactorAuth/Test/Integration/ControllerActionPredispatchTest.php @@ -91,7 +91,7 @@ public function testUnauthenticated(): void $this->dispatch('backend/admin/index/index'); //Login controller redirects to full start-up URL $this->assertRedirect($this->stringContains('index')); - $properUrl = $this->getResponse()->getHeader('Location')->getFieldValue(); + $properUrl = $this->getResponse()->getHeader('Location')->uri()->getPath(); //Login page must be rendered without redirects $this->getRequest()->setDispatched(false); From c3856959f05d1d63ac98c1e831978ab944b01e8c Mon Sep 17 00:00:00 2001 From: Yurii Sapiha Date: Thu, 1 Apr 2021 12:00:03 +0300 Subject: [PATCH 08/13] MQE-2601: Create automated test for: "Verify that admin token and customer token life time can be configured from admin" --- .../Test/Api/GoogleAuthenticateTest.php | 140 ++++++++++++++++-- 1 file changed, 131 insertions(+), 9 deletions(-) diff --git a/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php b/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php index 8fd0cd8b..b9b8c8e9 100644 --- a/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php +++ b/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php @@ -7,7 +7,12 @@ namespace Magento\TwoFactorAuth\Test\Api; +use Magento\Framework\HTTP\ClientInterface; +use Magento\Framework\Serialize\SerializerInterface; +use Magento\Framework\UrlInterface; use Magento\Framework\Webapi\Rest\Request; +use Magento\Integration\Model\Oauth\TokenFactory; +use Magento\Integration\Model\ResourceModel\Oauth\Token as TokenResource; use Magento\TestFramework\Helper\Bootstrap; use Magento\TestFramework\TestCase\WebapiAbstract; use Magento\TwoFactorAuth\Api\TfaInterface; @@ -15,6 +20,9 @@ use Magento\User\Model\UserFactory; use OTPHP\TOTP; +/** + * Class checks google authentication behaviour + */ class GoogleAuthenticateTest extends WebapiAbstract { const SERVICE_VERSION = 'V1'; @@ -37,18 +45,53 @@ class GoogleAuthenticateTest extends WebapiAbstract */ private $tfa; + /** + * @var ClientInterface + */ + private $client; + + /** + * @var UrlInterface + */ + private $url; + + /** + * @var SerializerInterface + */ + private $json; + + /** + * @var TokenResource + */ + private $tokenResource; + + /** + * @var TokenFactory + */ + private $tokenFactory; + + /** + * @inheritdoc + */ protected function setUp(): void { $objectManager = Bootstrap::getObjectManager(); $this->userFactory = $objectManager->get(UserFactory::class); $this->google = $objectManager->get(Google::class); $this->tfa = $objectManager->get(TfaInterface::class); + $this->client = $objectManager->get(ClientInterface::class); + $this->url = $objectManager->get(UrlInterface::class); + $this->json = $objectManager->get(SerializerInterface::class); + $this->tokenResource = $objectManager->get(TokenResource::class); + $this->tokenFactory = $objectManager->get(TokenFactory::class); } /** * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php + * + * @return void */ - public function testInvalidCredentials() + public function testInvalidCredentials(): void { $serviceInfo = $this->buildServiceInfo(); @@ -80,8 +123,10 @@ public function testInvalidCredentials() /** * @magentoConfigFixture twofactorauth/general/force_providers duo_security * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php + * + * @return void */ - public function testUnavailableProvider() + public function testUnavailableProvider(): void { $serviceInfo = $this->buildServiceInfo(); @@ -109,8 +154,10 @@ public function testUnavailableProvider() /** * @magentoConfigFixture twofactorauth/general/force_providers google * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php + * + * @return void */ - public function testInvalidToken() + public function testInvalidToken(): void { $userId = $this->getUserId(); $serviceInfo = $this->buildServiceInfo(); @@ -141,8 +188,10 @@ public function testInvalidToken() /** * @magentoConfigFixture twofactorauth/general/force_providers google * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php + * + * @return void */ - public function testNotConfiguredProvider() + public function testNotConfiguredProvider(): void { $userId = $this->getUserId(); $serviceInfo = $this->buildServiceInfo(); @@ -174,8 +223,10 @@ public function testNotConfiguredProvider() * @magentoConfigFixture twofactorauth/general/force_providers google * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php * @magentoConfigFixture twofactorauth/google/otp_window 120 + * + * @return void */ - public function testValidToken() + public function testValidToken(): void { $userId = $this->getUserId(); $otp = $this->getUserOtp(); @@ -195,6 +246,36 @@ public function testValidToken() self::assertMatchesRegularExpression('/^[a-z0-9]{32}$/', $response); } + /** + * @magentoConfigFixture default/oauth/access_token_lifetime/admin 1 + * @magentoConfigFixture twofactorauth/general/force_providers google + * + * @magentoApiDataFixture Magento/Webapi/_files/webapi_user.php + * @magentoApiDataFixture Magento/Customer/_files/customer.php + * + * @return void + */ + public function testAdminTokenLifetime(): void + { + $this->tfa->getProviderByCode(Google::CODE)->activate($this->getUserId('webapi_user')); + $otp = $this->getUserOtp('webapi_user'); + $serviceInfo = $this->buildServiceInfo(); + $requestData = [ + 'otp' => $otp, + 'username' => 'webapi_user', + 'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD, + ]; + $accessToken = $this->_webApiCall($serviceInfo, $requestData); + $result = $this->doCustomerRequest($accessToken, 1); + $this->assertContains('customer@example.com', $this->json->unserialize($result)); + $this->updateTokenCreatedTime($accessToken); + $result = $this->doCustomerRequest($accessToken, 1); + $this->assertContains( + 'The consumer isn\'t authorized to access %resources.', + $this->json->unserialize($result) + ); + } + /** * @return array */ @@ -217,20 +298,61 @@ private function buildServiceInfo(): array ]; } - private function getUserId(): int + /** + * Get user id + * + * @param string $userName + * @return int + */ + private function getUserId($userName = 'customRoleUser'): int { $user = $this->userFactory->create(); - $user->loadByUsername('customRoleUser'); + $user->loadByUsername($userName); return (int)$user->getId(); } - private function getUserOtp(): string + /** + * Get user otp + * + * @param string $userName + * @return string + */ + private function getUserOtp($userName = 'customRoleUser'): string { $user = $this->userFactory->create(); - $user->loadByUsername('customRoleUser'); + $user->loadByUsername($userName); $totp = TOTP::create($this->google->getSecretCode($user)); return $totp->now(); } + + /** + * Perform request to customers endpoint + * + * @param string $accessToken + * @return string + */ + private function doCustomerRequest(string $accessToken, $customerId): string + { + $this->client->addHeader('Authorization', 'Bearer ' . $accessToken); + $this->client->get($this->url->getBaseUrl() . 'rest/V1/customers/' . $customerId); + + return $this->client->getBody(); + } + + /** + * Update token created time + * + * @param string $accessToken + * @return void + */ + private function updateTokenCreatedTime(string $accessToken): void + { + $token = $this->tokenFactory->create(); + $token->loadByToken($accessToken); + $createdAt = (new \DateTime('-1 day'))->format('Y-m-d H:i:s'); + $token->setCreatedAt($createdAt); + $this->tokenResource->save($token); + } } From 13f9e37176ce56090fc07149ecb5ceaeefcf6fa5 Mon Sep 17 00:00:00 2001 From: ogorkun Date: Thu, 8 Apr 2021 11:37:57 -0500 Subject: [PATCH 09/13] MC-32830: Do not store admin and customer tokens in DB --- .../Model/Provider/Engine/Authy/AuthenticateTest.php | 4 ++-- .../Model/Provider/Engine/DuoSecurity/AuthenticateTest.php | 2 +- .../Model/Provider/Engine/U2fKey/AuthenticateTest.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/TwoFactorAuth/Test/Integration/Model/Provider/Engine/Authy/AuthenticateTest.php b/TwoFactorAuth/Test/Integration/Model/Provider/Engine/Authy/AuthenticateTest.php index 28478822..4f3dcd37 100644 --- a/TwoFactorAuth/Test/Integration/Model/Provider/Engine/Authy/AuthenticateTest.php +++ b/TwoFactorAuth/Test/Integration/Model/Provider/Engine/Authy/AuthenticateTest.php @@ -156,7 +156,7 @@ public function testAuthenticateValidRequest() 'abc' ); - self::assertMatchesRegularExpression('/^[a-z0-9]{32}$/', $result); + self::assertNotEmpty($result); } /** @@ -290,7 +290,7 @@ public function testCreateTokenWithOneTouch() Bootstrap::ADMIN_PASSWORD ); - self::assertMatchesRegularExpression('/^[a-z0-9]{32}$/', $result); + self::assertNotEmpty($result); } /** diff --git a/TwoFactorAuth/Test/Integration/Model/Provider/Engine/DuoSecurity/AuthenticateTest.php b/TwoFactorAuth/Test/Integration/Model/Provider/Engine/DuoSecurity/AuthenticateTest.php index 0328a383..ff62192c 100644 --- a/TwoFactorAuth/Test/Integration/Model/Provider/Engine/DuoSecurity/AuthenticateTest.php +++ b/TwoFactorAuth/Test/Integration/Model/Provider/Engine/DuoSecurity/AuthenticateTest.php @@ -257,7 +257,7 @@ public function testVerifyValidRequest() $signature ); - self::assertMatchesRegularExpression('/^[a-z0-9]{32}$/', $token); + self::assertNotEmpty($token); } /** diff --git a/TwoFactorAuth/Test/Integration/Model/Provider/Engine/U2fKey/AuthenticateTest.php b/TwoFactorAuth/Test/Integration/Model/Provider/Engine/U2fKey/AuthenticateTest.php index ca912912..3448fc6a 100644 --- a/TwoFactorAuth/Test/Integration/Model/Provider/Engine/U2fKey/AuthenticateTest.php +++ b/TwoFactorAuth/Test/Integration/Model/Provider/Engine/U2fKey/AuthenticateTest.php @@ -238,7 +238,7 @@ public function testVerifyValidRequest() Bootstrap::ADMIN_PASSWORD, json_encode($verifyData) ); - self::assertMatchesRegularExpression('/^[a-z0-9]{32}$/', $token); + self::assertNotEmpty($token); } /** From a1299e2c9a011b15d9b5a34a777ce3f66686637b Mon Sep 17 00:00:00 2001 From: Yurii Sapiha Date: Wed, 14 Apr 2021 13:32:25 +0300 Subject: [PATCH 10/13] MQE-2601: Create automated test for: "Verify that admin token and customer token life time can be configured from admin" --- TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php b/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php index b9b8c8e9..bd6e5eca 100644 --- a/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php +++ b/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php @@ -257,6 +257,7 @@ public function testValidToken(): void */ public function testAdminTokenLifetime(): void { + $this->_markTestAsRestOnly(); $this->tfa->getProviderByCode(Google::CODE)->activate($this->getUserId('webapi_user')); $otp = $this->getUserOtp('webapi_user'); $serviceInfo = $this->buildServiceInfo(); From 5f0dd97bcfc07fda8b0912def730f185ce4a7ffd Mon Sep 17 00:00:00 2001 From: Myroslav Dobra Date: Thu, 22 Apr 2021 11:37:16 +0300 Subject: [PATCH 11/13] MC-40692: 2FA Google Authenticator iPhone QR Code compatibility --- TwoFactorAuth/Model/Provider/Engine/Google.php | 1 + 1 file changed, 1 insertion(+) diff --git a/TwoFactorAuth/Model/Provider/Engine/Google.php b/TwoFactorAuth/Model/Provider/Engine/Google.php index 882d4ef4..a982c764 100644 --- a/TwoFactorAuth/Model/Provider/Engine/Google.php +++ b/TwoFactorAuth/Model/Provider/Engine/Google.php @@ -100,6 +100,7 @@ private function generateSecret(): string $secret = random_bytes(128); // seed for iOS devices to avoid errors with barcode $seed = 'abcd'; + return preg_replace('/[^A-Za-z0-9]/', '', Base32::encode($seed . $secret)); } From fb06d4caabea49f0e321db0855c47a461edd466f Mon Sep 17 00:00:00 2001 From: Sachin Admane Date: Wed, 5 May 2021 12:03:15 -0500 Subject: [PATCH 12/13] MC-42191: MFTF annotations fix --- TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml b/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml index 8c83c3d7..d07e2b46 100644 --- a/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml +++ b/TwoFactorAuth/Test/Mftf/Test/AdminUpdateUserRoleTest.xml @@ -5,8 +5,15 @@ * See COPYING.txt for license details. */ --> - + + + + + <description value="Change full access role for admin user to custom one"/> + <severity value="AVERAGE"/> + </annotations> <before> <actionGroup ref="AdminChooseUserRoleResourceActionGroup" before="saveNewRole" stepKey="enableTfa"> <argument name="resourceId" value="Magento_TwoFactorAuth::tfa"/> From fef8ffb44f5a0d5f03ef26632d8b527b0b31b5a2 Mon Sep 17 00:00:00 2001 From: "hwyu@adobe.com" <hwyu@adobe.com> Date: Thu, 13 May 2021 14:06:53 -0500 Subject: [PATCH 13/13] MC-37583: Fix Failing 2FA Integration tests when DB table prefixes are enabled --- TwoFactorAuth/Test/Integration/UserConfigManagerTest.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/TwoFactorAuth/Test/Integration/UserConfigManagerTest.php b/TwoFactorAuth/Test/Integration/UserConfigManagerTest.php index ff947d45..0ef7d110 100644 --- a/TwoFactorAuth/Test/Integration/UserConfigManagerTest.php +++ b/TwoFactorAuth/Test/Integration/UserConfigManagerTest.php @@ -170,8 +170,8 @@ public function testShouldEncryptConfiguration(): void $encryptor = Bootstrap::getObjectManager()->create(EncryptorInterface::class); /** @var ResourceConnection $resourceConnection */ - $connection = Bootstrap::getObjectManager()->get(ResourceConnection::class) - ->getConnection(ResourceConnection::DEFAULT_CONNECTION); + $resourceConnection = Bootstrap::getObjectManager()->get(ResourceConnection::class); + $connection = $resourceConnection->getConnection(ResourceConnection::DEFAULT_CONNECTION); $configPayload = ['a' => 1, 'b' => 2]; @@ -181,8 +181,10 @@ public function testShouldEncryptConfiguration(): void $configPayload ); + $tfaUserConfig = $resourceConnection->getTableName('tfa_user_config'); + $qry = $connection->select() - ->from('tfa_user_config', 'encoded_config') + ->from($tfaUserConfig, 'encoded_config') ->where('user_id = ?', (int)$dummyUser->getId()); $res = $connection->fetchOne($qry);