Merge remote-tracking branch 'origin/2.4-develop' into CABPI-410

Author: yaroslavGoncharuk

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,72 @@
+name: Bug report
+description: Technical issue with the Magento 2 core components
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please read [our guidelines](https://developer.adobe.com/commerce/contributor/guides/code-contributions/#report-an-issue) before submitting the issue.
+  - type: textarea
+    attributes:
+      label: Preconditions and environment
+      description: |
+        Describe your environment.
+        Provide all the details that will help us to reproduce the bug.
+      value: |
+        - Magento version
+        - Anything else that would help a developer reproduce the bug
+  - type: textarea
+    attributes:
+      label: Steps to reproduce
+      description: |
+        Provide a set of clear steps to reproduce this bug.
+      placeholder: |
+        Example:
+          1. Navigate to storefront as a guest.
+          2. Open Test Category.
+          3. Click “Add to Cart” on the Virtual Product.
+          4. Open mini shopping cart and click “Proceed to Checkout”.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected result
+      description: |
+        Tell us what you expected to happen.
+      placeholder: |
+        Example:
+          Order is placed successfully, customer is redirected to the success page.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Actual result
+      description: |
+        Tell us what happened. Include error messages and issues.
+      placeholder: |
+        Example:
+          “Place order” button is not visible, order cannot be placed.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional information
+      description: |
+        Additional information is often requested when the bug report is processed. You can save time by providing both Magento and browser logs, screenshots, repository branch and HEAD commit you checked out to install Magento and any other artifacts related to the issue.
+        Also, links to the comments with important information, Root Cause analysis, additional video recordings; and anything else that is important for the issue and at some reason cannot be added to other sections.
+  - type: textarea
+    attributes:
+      label: Release note
+      description: |
+        Help us to provide meaningful release notes to the community.
+  - type: checkboxes
+    attributes:
+      label: Triage and priority
+      description: |
+        Provide [Severity](https://developer.adobe.com/commerce/contributor/guides/code-contributions/#community-backlog-priority) assessment for the Issue as a Reporter.
+        This information helps us during the Confirmation and Issue triage processes.
+      options:
+        - label: 'Severity: **S0** _- Affects critical data or functionality and leaves users without workaround._'
+        - label: 'Severity: **S1** _- Affects critical data or functionality and forces users to employ a workaround._'
+        - label: 'Severity: **S2** _- Affects non-critical data or functionality and forces users to employ a workaround._'
+        - label: 'Severity: **S3** _- Affects non-critical data or functionality and does not force users to employ a workaround._'
+        - label: 'Severity: **S4** _- Affects aesthetics, professional look and feel, “quality” or “usability”._'

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -4,7 +4,7 @@ Magento values the contributions of the security research community, and we look
 
 ## Where should I report security issues?
 
-We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/magento).  Please provide us with relevant technical details and repro steps to expedite our investigation.  If you prefer not to use HackerOne, email us directly at `psirt@adobe.com` with details and repro steps.  
+We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/adobe).  Please provide us with relevant technical details and repro steps to expedite our investigation.  If you prefer not to use HackerOne, email us directly at `psirt@adobe.com` with details and repro steps.  
 
 ## Learning More About Security
 To learn more about securing a Magento store, please visit the [Security Center](https://magento.com/security).

SECURITY.md

@@ -102,14 +102,15 @@ public function execute(): Redirect
             $tokenResponse = $this->adminImsConnection->getTokenResponse($code);
             $accessToken = $tokenResponse->getAccessToken();
 
-            //check organization assignment
-            $this->adminOrganizationService->checkOrganizationAllocation($accessToken);
-
             //get profile info to check email
             $profile = $this->adminImsConnection->getProfile($accessToken);
             if (empty($profile['email'])) {
                 throw new AuthenticationException(__('An authentication error occurred. Verify and try again.'));
             }
+
+            //check membership in organization
+            $this->adminOrganizationService->checkOrganizationMembership($accessToken);
+
             $this->adminLoginProcessService->execute($tokenResponse, $profile);
         } catch (AdobeImsAuthorizationException $e) {
             $this->logger->error($e->getMessage());

app/code/Magento/AdminAdobeIms/Controller/Adminhtml/OAuth/ImsCallback.php

@@ -118,14 +118,16 @@ public function execute(): ResultInterface
             }
 
             $tokenResponse = $this->adminImsConnection->getTokenResponse($code);
+            $accessToken = $tokenResponse->getAccessToken();
 
-            $profile = $this->adminImsConnection->getProfile($tokenResponse->getAccessToken());
+            $profile = $this->adminImsConnection->getProfile($accessToken);
             if (empty($profile['email'])) {
                 throw new AuthenticationException(__('An authentication error occurred. Verify and try again.'));
             }
 
-            $accessToken = $tokenResponse->getAccessToken();
-            $this->adminOrganizationService->checkOrganizationAllocation($accessToken);
+            //check membership in organization
+            $this->adminOrganizationService->checkOrganizationMembership($accessToken);
+
             $this->adminReauthProcessService->execute($tokenResponse);
 
             $response = sprintf(

app/code/Magento/AdminAdobeIms/Controller/Adminhtml/OAuth/ImsReauthCallback.php

@@ -0,0 +1,58 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\AdminAdobeIms\Plugin\Block\Adminhtml\Integration\Edit\Tab;
+
+use Magento\AdminAdobeIms\Plugin\AdobeImsReauth\AddAdobeImsReAuthButton;
+use Magento\AdminAdobeIms\Service\ImsConfig;
+use Magento\Integration\Block\Adminhtml\Integration\Edit\Tab\Info;
+
+class AddReAuthVerification
+{
+    /**
+     * @var AddAdobeImsReAuthButton
+     */
+    private AddAdobeImsReAuthButton $adobeImsReAuthButton;
+
+    /**
+     * @var ImsConfig
+     */
+    private ImsConfig $adminAdobeImsConfig;
+
+    /**
+     * @param AddAdobeImsReAuthButton $adobeImsReAuthButton
+     * @param ImsConfig $adminAdobeImsConfig
+     */
+    public function __construct(
+        AddAdobeImsReAuthButton $adobeImsReAuthButton,
+        ImsConfig $adminAdobeImsConfig
+    ) {
+        $this->adobeImsReAuthButton = $adobeImsReAuthButton;
+        $this->adminAdobeImsConfig = $adminAdobeImsConfig;
+    }
+
+    /**
+     * Add adobeIms reAuth button to integration new/edit form
+     *
+     * @param Info $subject
+     * @return void
+     */
+    public function beforeGetFormHtml(Info $subject): void
+    {
+        if ($this->adminAdobeImsConfig->enabled()) {
+            $form = $subject->getForm();
+            if (is_object($form)) {
+                $verificationFieldset = $form->getElement('current_user_verification_fieldset');
+                if ($verificationFieldset !== null) {
+                    $this->adobeImsReAuthButton->addAdobeImsReAuthButton($verificationFieldset);
+                    $subject->setForm($form);
+                }
+            }
+        }
+    }
+}

app/code/Magento/AdminAdobeIms/Plugin/Block/Adminhtml/Integration/Edit/Tab/AddReAuthVerification.php

@@ -33,12 +33,13 @@ public function __construct(ImsConfig $adminImsConfig)
      * @param ResetAttemptForBackendObserver $subject
      * @param callable $proceed
      * @param Observer $observer
+     * @return void
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
-    public function aroundExecute(ResetAttemptForBackendObserver $subject, callable $proceed, Observer $observer)
+    public function aroundExecute(ResetAttemptForBackendObserver $subject, callable $proceed, Observer $observer): void
     {
         if (!$this->adminImsConfig->enabled()) {
-            return $proceed($observer);
+            $proceed($observer);
         }
     }
 }

app/code/Magento/AdminAdobeIms/Plugin/ResetAttemptForBackendObserverPlugin.php

@@ -34,6 +34,7 @@ class ImsConfig extends Config
     public const XML_PATH_ADMIN_AUTH_URL_PATTERN = 'adobe_ims/integration/admin/auth_url_pattern';
     public const XML_PATH_ADMIN_REAUTH_URL_PATTERN = 'adobe_ims/integration/admin/reauth_url_pattern';
     public const XML_PATH_ADMIN_ADOBE_IMS_SCOPES = 'adobe_ims/integration/admin/scopes';
+    public const XML_PATH_ORGANIZATION_MEMBERSHIP_URL = 'adobe_ims/integration/organization_membership_url';
 
     private const OAUTH_CALLBACK_URL = 'adobe_ims_auth/oauth/';
 
@@ -376,4 +377,19 @@ public function getCertificateUrl(string $fileName): string
     {
         return $this->scopeConfig->getValue(self::XML_PATH_CERTIFICATE_PATH) . $fileName;
     }
+
+    /**
+     * Get url to check organization membership
+     *
+     * @param string $orgId
+     * @return string
+     */
+    public function getOrganizationMembershipUrl(string $orgId): string
+    {
+        return str_replace(
+            ['#{org_id}'],
+            [$orgId],
+            $this->scopeConfig->getValue(self::XML_PATH_ORGANIZATION_MEMBERSHIP_URL)
+        );
+    }
 }

app/code/Magento/AdminAdobeIms/Service/ImsConfig.php

@@ -9,6 +9,7 @@
 namespace Magento\AdminAdobeIms\Service;
 
 use Magento\AdminAdobeIms\Exception\AdobeImsOrganizationAuthorizationException;
+use Magento\Framework\HTTP\Client\CurlFactory;
 
 class ImsOrganizationService
 {
@@ -17,33 +18,68 @@ class ImsOrganizationService
      */
     private ImsConfig $adminImsConfig;
 
+    /**
+     * @var CurlFactory
+     */
+    private CurlFactory $curlFactory;
+
     /**
      * @param ImsConfig $adminImsConfig
+     * @param CurlFactory $curlFactory
      */
     public function __construct(
-        ImsConfig $adminImsConfig
+        ImsConfig $adminImsConfig,
+        CurlFactory $curlFactory
     ) {
         $this->adminImsConfig = $adminImsConfig;
+        $this->curlFactory = $curlFactory;
     }
 
     /**
-     * Check if user is assigned to organization
+     * Check if user is a member of Adobe Organization
      *
-     * @param string $token
-     * @return bool
+     * @param string $access_token
+     * @return void
      * @throws AdobeImsOrganizationAuthorizationException
      */
-    public function checkOrganizationAllocation(string $token): bool
+    public function checkOrganizationMembership(string $access_token): void
     {
-        $configuredOrganization = $this->adminImsConfig->getOrganizationId();
+        $configuredOrganizationId = $this->adminImsConfig->getOrganizationId();
 
-        //@TODO CABPI-324: Change Org check to use new endpoint
-        if ($configuredOrganization === '' || !$token) {
+        if ($configuredOrganizationId === '' || !$access_token) {
             throw new AdobeImsOrganizationAuthorizationException(
-                __('User is not assigned to defined organization.')
+                __('Can\'t check user membership in organization.')
             );
         }
 
-        return true;
+        try {
+            $curl = $this->curlFactory->create();
+
+            $curl->addHeader('Content-Type', 'application/x-www-form-urlencoded');
+            $curl->addHeader('cache-control', 'no-cache');
+            $curl->addHeader('Authorization', 'Bearer ' . $access_token);
+
+            $orgCheckUrl = $this->adminImsConfig->getOrganizationMembershipUrl($configuredOrganizationId);
+            $curl->get($orgCheckUrl);
+
+            if ($curl->getBody() === '') {
+                throw new AdobeImsOrganizationAuthorizationException(
+                    __('Could not check Organization Membership. Response is empty.')
+                );
+            }
+
+            $response = $curl->getBody();
+
+            if ($response !== 'true') {
+                throw new AdobeImsOrganizationAuthorizationException(
+                    __('User is not a member of configured Adobe Organization.')
+                );
+            }
+
+        } catch (\Exception $exception) {
+            throw new AdobeImsOrganizationAuthorizationException(
+                __('Organization Membership check can\'t be performed')
+            );
+        }
     }
 }

app/code/Magento/AdminAdobeIms/Service/ImsOrganizationService.php

@@ -16,6 +16,9 @@
             <description value="Runs bin/magento admin:adobe-ims info command"/>
             <severity value="MINOR"/>
             <group value="admin_ims"/>
+            <skip>
+                <issueId value="AC-3153">Skipped</issueId>
+            </skip>
             <testCaseId value="CABPI-186"/>
         </annotations>
         <before>