Merge pull request #417 from magento-performance/CABPI-290-revoke-admin-session

CABPI-290: prolong admin session if access token is valid

Author: slopukhov

app/code/Magento/AdminAdobeIms/Model/ImsConnection.php

@@ -9,6 +9,7 @@
 namespace Magento\AdminAdobeIms\Model;
 
 use Magento\AdminAdobeIms\Exception\AdobeImsTokenAuthorizationException;
+use Magento\AdminAdobeIms\Logger\AdminAdobeImsLogger;
 use Magento\AdminAdobeIms\Service\ImsConfig;
 use Magento\AdobeIms\Model\GetToken;
 use Magento\AdobeImsApi\Api\Data\TokenResponseInterface;
@@ -42,22 +43,30 @@ class ImsConnection
      */
     private GetToken $token;
 
+    /**
+     * @var AdminAdobeImsLogger
+     */
+    private AdminAdobeImsLogger $adminAdobeImsLogger;
+
     /**
      * @param CurlFactory $curlFactory
      * @param ImsConfig $imsConfig
      * @param Json $json
      * @param GetToken $token
+     * @param AdminAdobeImsLogger $adminAdobeImsLogger
      */
     public function __construct(
         CurlFactory $curlFactory,
         ImsConfig $imsConfig,
         Json $json,
-        GetToken $token
+        GetToken $token,
+        AdminAdobeImsLogger $adminAdobeImsLogger
     ) {
         $this->curlFactory = $curlFactory;
         $this->imsConfig = $imsConfig;
         $this->json = $json;
         $this->token = $token;
+        $this->adminAdobeImsLogger = $adminAdobeImsLogger;
     }
 
     /**
@@ -140,19 +149,20 @@ private function validateResponse(Curl $curl): void
      * Verify if access_token is valid
      *
      * @param string $code
+     * @param string $tokenType
      * @return bool
      * @throws AuthorizationException
      */
-    public function verifyToken(string $code): bool
+    public function validateToken(string $code, string $tokenType = 'access_token'): bool
     {
+        $isTokenValid = false;
         $curl = $this->curlFactory->create();
 
         $curl->addHeader('Content-Type', 'application/x-www-form-urlencoded');
         $curl->addHeader('cache-control', 'no-cache');
-        $curl->addHeader('Authorization', 'Bearer ' . $code);
 
         $curl->post(
-            $this->imsConfig->getVerifyUrl($code),
+            $this->imsConfig->getValidateTokenUrl($code, $tokenType),
             []
         );
 
@@ -164,7 +174,15 @@ public function verifyToken(string $code): bool
 
         $body = $this->json->unserialize($curl->getBody());
 
-        return isset($body['valid']) && $body['valid'] === true;
+        if (isset($body['valid'])) {
+            $isTokenValid = (bool)$body['valid'];
+        }
+
+        if (!$isTokenValid && isset($body['reason'])) {
+            $this->adminAdobeImsLogger->info($tokenType . ' is not valid. Reason: ' . $body['reason']);
+        }
+
+        return $isTokenValid;
     }
 
     /**

app/code/Magento/AdminAdobeIms/Plugin/BackendAuthSessionPlugin.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\AdminAdobeIms\Plugin;
+
+use Magento\AdminAdobeIms\Model\ImsConnection;
+use Magento\AdminAdobeIms\Service\ImsConfig;
+use Magento\Backend\Model\Auth\Session;
+use Magento\Framework\Stdlib\DateTime\DateTime;
+
+class BackendAuthSessionPlugin
+{
+    /**
+     * How often access_token has to be validated
+     */
+    public const ACCESS_TOKEN_INTERVAL_CHECK = 600;
+
+    /**
+     * @var ImsConnection
+     */
+    private ImsConnection $imsConnection;
+
+    /**
+     * @var DateTime
+     */
+    private DateTime $dateTime;
+
+    /**
+     * @var ImsConfig
+     */
+    private ImsConfig $imsConfig;
+
+    /**
+     * @param ImsConnection $imsConnection
+     * @param DateTime $dateTime
+     * @param ImsConfig $imsConfig
+     */
+    public function __construct(
+        ImsConnection $imsConnection,
+        DateTime $dateTime,
+        ImsConfig $imsConfig
+    ) {
+        $this->imsConnection = $imsConnection;
+        $this->dateTime = $dateTime;
+        $this->imsConfig = $imsConfig;
+    }
+
+    /**
+     * Check if access token still valid
+     *
+     * @param Session $subject
+     * @param callable $proceed
+     * @return void
+     * @throws \Magento\Framework\Exception\AuthorizationException
+     */
+    public function aroundProlong(Session $subject, callable $proceed): void
+    {
+        if ($this->imsConfig->enabled()) {
+            $lastCheckTime = $subject->getTokenLastCheckTime();
+            if ($lastCheckTime + self::ACCESS_TOKEN_INTERVAL_CHECK <= $this->dateTime->gmtTimestamp()) {
+                $accessToken = $subject->getAdobeAccessToken();
+                if ($this->imsConnection->validateToken($accessToken)) {
+                    $subject->setTokenLastCheckTime($this->dateTime->gmtTimestamp());
+                } else {
+                    $subject->destroy();
+                    return;
+                }
+            }
+        }
+
+        $proceed();
+    }
+}

app/code/Magento/AdminAdobeIms/Plugin/ReplaceVerifyIdentityWithImsPlugin.php

@@ -109,6 +109,6 @@ private function verifyImsToken(User $user): bool
         }
 
         $accessToken = $this->encryptor->decrypt($userProfile->getAccessToken());
-        return $this->imsConnection->verifyToken($accessToken);
+        return $this->imsConnection->validateToken($accessToken);
     }
 }

app/code/Magento/AdminAdobeIms/README.md

@@ -177,3 +177,14 @@ This authentication mechanism enabled for REST and SOAP web API areas.
 Examples, how developers can test functionality:
 curl -X GET "{domain}/rest/V1/customers/2" -H "Authorization: Bearer AddAdobeImsAccessToken"
 curl -X GET "{domain}/rest/V1/products/24-MB01" -H "Authorization: Bearer AddAdobeImsAccessToken" 
+
+# ACCESS_TOKEN saving in session and validation
+When AdminAdomeIms module is enabled, we check each 10 minutes if ACCESS_TOKEN is still valid.
+For this when admin user login and when session is started, we add 2 extra varibles to the session:
+token_last_check_time is current time
+adobe_access_token is ACCESS_TOKEN that we recieve during autorization
+
+There is a plugin \Magento\AdminAdobeIms\Plugin\BackendAuthSessionPlugin where we check if token_last_check_time was updated 10 min ago. 
+If yes, then we make call to IMS to validate access_token.
+If token is valid, value token_last_check_time will be updated to current time and session prolong.
+If token is not valid, session will be destroyed.

app/code/Magento/AdminAdobeIms/Service/AdminLoginProcessService.php

@@ -16,17 +16,20 @@
 use Magento\AdminAdobeIms\Model\User;
 use Magento\AdobeIms\Model\LogIn;
 use Magento\AdobeImsApi\Api\Data\TokenResponseInterface;
+use Magento\Framework\Stdlib\DateTime\DateTime;
 
 class AdminLoginProcessService
 {
     /**
      * @var User
      */
     private User $adminUser;
+
     /**
      * @var Auth
      */
     private Auth $auth;
+
     /**
      * @var LogIn
      */
@@ -37,22 +40,30 @@ class AdminLoginProcessService
      */
     private LogOut $logOut;
 
+    /**
+     * @var DateTime
+     */
+    private DateTime $dateTime;
+
     /**
      * @param User $adminUser
      * @param Auth $auth
      * @param LogIn $logIn
      * @param LogOut $logOut
+     * @param DateTime $dateTime
      */
     public function __construct(
         User $adminUser,
         Auth $auth,
         LogIn $logIn,
-        LogOut $logOut
+        LogOut $logOut,
+        DateTime $dateTime
     ) {
         $this->adminUser = $adminUser;
         $this->auth = $auth;
         $this->logIn = $logIn;
         $this->logOut = $logOut;
+        $this->dateTime = $dateTime;
     }
 
     /**
@@ -76,6 +87,9 @@ public function execute(array $profile, TokenResponseInterface $tokenResponse):
         try {
             $this->logIn->execute((int)$adminUser['user_id'], $tokenResponse);
             $this->auth->loginByUsername($adminUser['username']);
+            $session = $this->auth->getAuthStorage();
+            $session->setAdobeAccessToken($tokenResponse->getAccessToken());
+            $session->setTokenLastCheckTime($this->dateTime->gmtTimestamp());
         } catch (Exception $exception) {
             $this->externalLogout($tokenResponse->getAccessToken());
             throw new AdobeImsTokenAuthorizationException(

app/code/Magento/AdminAdobeIms/Service/ImsConfig.php

@@ -27,12 +27,12 @@ class ImsConfig extends Config
     public const XML_PATH_AUTH_URL_PATTERN = 'adobe_ims/integration/auth_url_pattern';
     public const XML_PATH_PROFILE_URL = 'adobe_ims/integration/profile_url';
     public const XML_PATH_NEW_ADMIN_EMAIL_TEMPLATE = 'adobe_ims/email/content_template';
-    public const XML_PATH_VERIFY_URL = 'adobe_ims/integration/verify_url';
-
-    private const OAUTH_CALLBACK_URL = 'adobe_ims_auth/oauth/';
+    public const XML_PATH_VALIDATE_TOKEN_URL = 'adobe_ims/integration/validate_token_url';
     public const XML_PATH_LOGOUT_URL = 'adobe_ims/integration/logout_url';
     public const XML_PATH_CERTIFICATE_PATH = 'adobe_ims/integration/certificate_path';
 
+    private const OAUTH_CALLBACK_URL = 'adobe_ims_auth/oauth/';
+
     /**
      * @var ScopeConfigInterface
      */
@@ -164,17 +164,18 @@ public function getProfileUrl(): string
     }
 
     /**
-     * Get Token verification url
+     * Get Token validation url
      *
      * @param string $code
+     * @param string $tokenType
      * @return string
      */
-    public function getVerifyUrl(string $code): string
+    public function getValidateTokenUrl(string $code, string $tokenType): string
     {
         return str_replace(
-            ['#{token}', '#{client_id}'],
-            [$code, $this->getApiKey()],
-            $this->scopeConfig->getValue(self::XML_PATH_VERIFY_URL)
+            ['#{token}', '#{client_id}', '#{token_type}'],
+            [$code, $this->getApiKey(), $tokenType],
+            $this->scopeConfig->getValue(self::XML_PATH_VALIDATE_TOKEN_URL)
         );
     }
 

app/code/Magento/AdminAdobeIms/Test/Unit/Plugin/ReplaceVerifyIdentityWithImsPluginTest.php

@@ -95,7 +95,7 @@ public function testAroundVerifyIdentityCallsProceedWhenModuleIsDisabled(): void
 
         $this->imsConnectionMock
             ->expects($this->never())
-            ->method('verifyToken');
+            ->method('validateToken');
 
         $this->assertEquals($expectedResult, $this->plugin->aroundVerifyIdentity($subject, $proceed, ''));
     }
@@ -124,7 +124,7 @@ public function testAroundVerifyIdentityVerifiesAccessTokenWhenModuleIsEnabled()
 
         $this->imsConnectionMock
             ->expects($this->once())
-            ->method('verifyToken')
+            ->method('validateToken')
             ->willReturn(true);
 
         $expectedResult = true;
@@ -160,7 +160,7 @@ public function testAroundVerifyIdentityThrowsExceptionOnInvalidToken(): void
 
         $this->imsConnectionMock
             ->expects($this->once())
-            ->method('verifyToken')
+            ->method('validateToken')
             ->willReturn(false);
 
         $this->expectException(AuthenticationException::class);

app/code/Magento/AdminAdobeIms/etc/config.xml

@@ -17,7 +17,7 @@
                 <profile_url><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/profile/v1?client_id=#{client_id}]]></profile_url>
                 <logout_url><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/logout/v1?access_token=#{access_token}&amp;client_id=#{client_id}&amp;client_secret=#{client_secret}]]></logout_url>
                 <certificate_path><![CDATA[https://static.adobelogin.com/keys/prod/]]></certificate_path>
-                <verify_url><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/validate_token/v1?token=#{token}&client_id=#{client_id}&type=access_token]]></verify_url>
+                <validate_token_url><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/validate_token/v1?token=#{token}&client_id=#{client_id}&type=#{token_type}]]></validate_token_url>
             </integration>
             <email>
                 <header_template>admin_adobe_ims_email_header_template</header_template>

app/code/Magento/AdminAdobeIms/etc/di.xml

@@ -66,4 +66,9 @@
         <plugin name="admin_adobe_ims_admin_token_plugin"
                 type="Magento\AdminAdobeIms\Plugin\AdminTokenPlugin" />
     </type>
+
+    <type name="Magento\Backend\Model\Auth\Session">
+        <plugin name="admin_adobe_ims_backend_auth_session"
+                type="Magento\AdminAdobeIms\Plugin\BackendAuthSessionPlugin"/>
+    </type>
 </config>