Merge pull request #396 from magento-performance/cabpi-197-admin-logout

CABPI-197 admin logout

Author: andimov

app/code/Magento/AdminAdobeIms/Model/Auth.php

@@ -14,6 +14,12 @@
 
 class Auth extends BackendAuth
 {
+    /**
+     * @var string
+     */
+    private string $errorMessage = 'The account sign-in was incorrect or your account is disabled temporarily. '
+        . 'Please wait and try again later.';
+
     /**
      * Perform login process without password
      *
@@ -26,10 +32,7 @@ public function loginByUsername(string $username): void
     {
         if (empty($username)) {
             self::throwException(
-                __(
-                    'The account sign-in was incorrect or your account is disabled temporarily. '
-                    . 'Please wait and try again later.'
-                )
+                __($this->errorMessage)
             );
         }
 
@@ -48,10 +51,7 @@ public function loginByUsername(string $username): void
 
             if (!$this->getAuthStorage()->getUser()) {
                 self::throwException(
-                    __(
-                        'The account sign-in was incorrect or your account is disabled temporarily. '
-                        . 'Please wait and try again later.'
-                    )
+                    __($this->errorMessage)
                 );
             }
         } catch (PluginAuthenticationException $e) {
@@ -67,8 +67,7 @@ public function loginByUsername(string $username): void
             );
             self::throwException(
                 __(
-                    $e->getMessage()? : 'The account sign-in was incorrect or your account is disabled temporarily. '
-                        . 'Please wait and try again later.'
+                    $e->getMessage()? : $this->errorMessage
                 )
             );
         }

app/code/Magento/AdminAdobeIms/Model/LogOut.php

@@ -0,0 +1,154 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminAdobeIms\Model;
+
+use Magento\AdminAdobeIms\Exception\AdobeImsTokenAuthorizationException;
+use Magento\AdobeImsApi\Api\FlushUserTokensInterface;
+use Magento\AdobeImsApi\Api\GetAccessTokenInterface;
+use Magento\AdminAdobeIms\Service\ImsConfig;
+use Magento\AdobeImsApi\Api\LogOutInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\HTTP\Client\CurlFactory;
+use Magento\AdminAdobeIms\Model\ImsConnection;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Represent functionality for log out users from the Adobe account
+ */
+class LogOut implements LogOutInterface
+{
+    /**
+     * Successful result code.
+     */
+    private const HTTP_OK = 200;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @var CurlFactory
+     */
+    private $curlFactory;
+
+    /**
+     * @var GetAccessTokenInterface
+     */
+    private $getAccessToken;
+
+    /**
+     * @var FlushUserTokensInterface
+     */
+    private $flushUserTokens;
+    /**
+     * @var ImsConfig
+     */
+    private ImsConfig $imsConfig;
+    /**
+     * @var ImsConnection
+     */
+    private ImsConnection $imsConnection;
+
+    /**
+     * @param LoggerInterface $logger
+     * @param ImsConfig $imsConfig
+     * @param CurlFactory $curlFactory
+     * @param GetAccessTokenInterface $getAccessToken
+     * @param FlushUserTokensInterface $flushUserTokens
+     * @param ImsConnection $imsConnection
+     */
+    public function __construct(
+        LoggerInterface $logger,
+        ImsConfig $imsConfig,
+        CurlFactory $curlFactory,
+        GetAccessTokenInterface $getAccessToken,
+        FlushUserTokensInterface $flushUserTokens,
+        ImsConnection $imsConnection
+    ) {
+        $this->logger = $logger;
+        $this->curlFactory = $curlFactory;
+        $this->getAccessToken = $getAccessToken;
+        $this->flushUserTokens = $flushUserTokens;
+        $this->imsConfig = $imsConfig;
+        $this->imsConnection = $imsConnection;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function execute() : bool
+    {
+        try {
+            $accessToken = $this->getAccessToken->execute();
+
+            if (empty($accessToken)) {
+                return true;
+            }
+
+            $this->externalLogOut($accessToken);
+            $this->flushUserTokens->execute();
+            return true;
+        } catch (\Exception $exception) {
+            $this->logger->critical($exception);
+            return false;
+        }
+    }
+
+    /**
+     * Logout user from Adobe IMS
+     *
+     * @param string $accessToken
+     * @throws LocalizedException
+     */
+    private function externalLogOut(string $accessToken): void
+    {
+        if (!$this->checkUserProfile($accessToken)) {
+            throw new LocalizedException(
+                __('An error occurred during logout operation.')
+            );
+        }
+        $curl = $this->curlFactory->create();
+
+        $curl->addHeader('Content-Type', 'application/x-www-form-urlencoded');
+        $curl->addHeader('cache-control', 'no-cache');
+
+        $curl->post(
+            $this->imsConfig->getBackendLogoutUrl($accessToken),
+            []
+        );
+
+        if ($curl->getStatus() !== self::HTTP_OK || ($this->checkUserProfile($accessToken))) {
+            throw new LocalizedException(
+                __('An error occurred during logout operation.')
+            );
+        }
+    }
+
+    /**
+     * Checks whether user profile could be got by the access token
+     *  - If the token is invalidated, profile information won't be returned
+     *
+     * @param string $accessToken
+     * @return bool
+     * @throws AuthorizationException
+     */
+    private function checkUserProfile(string $accessToken): bool
+    {
+        try {
+            $profile = $this->imsConnection->getProfile($accessToken);
+            if (!empty($profile['email'])) {
+                return true;
+            }
+        } catch (AdobeImsTokenAuthorizationException $exception) {
+            return false;
+        }
+        return false;
+    }
+}

app/code/Magento/AdminAdobeIms/Observer/AdminLogoutObserver.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\AdminAdobeIms\Observer;
+
+use Magento\AdminAdobeIms\Model\LogOut;
+use Magento\Framework\Event\Observer;
+use Magento\Framework\Event\ObserverInterface;
+
+class AdminLogoutObserver implements ObserverInterface
+{
+    /**
+     * @var LogOut
+     */
+    private LogOut $logOut;
+
+    /**
+     * @param LogOut $logOut
+     */
+    public function __construct(
+        LogOut $logOut
+    ) {
+        $this->logOut = $logOut;
+    }
+
+    /**
+     * Perform logout action
+     *
+     * @param Observer $observer
+     * @return $this
+     * @SuppressWarnings(PHPMD.UnusedLocalVariable)
+     */
+    public function execute(Observer $observer)
+    {
+        $this->logOut->execute();
+        return $this;
+    }
+}

app/code/Magento/AdminAdobeIms/README.md

@@ -74,3 +74,20 @@ The layout file `view/adminhtml/layout/adobe_ims_login.xml` adds:
 
 We have included the minified css and the used svgs from Spectrum CSS with our module, but you can also use npm to install the latest versions.
 To rebuild the minified css run the command `./node_modules/.bin/postcss -o dist/index.min.css index.css` after npm install from inside the web directory.
+
+# Admin Backend Login
+
+Login with the help Adobe IMS Service is implemented. The redirect to Adobe IMS Service is performed-
+The redirect from Adobe IMS is done to \Magento\AdminAdobeIms\Controller\Adminhtml\OAuth\ImsCallback controller.
+
+The access code comes from Adobe, the token response is got on the basis of the access code,
+client id (api key) and client secret (private key). 
+The token response access taken is used for getting user profile information. 
+If this is successful, the admin user will be logged in and the access and refresh tokens are saved in the `adobe_user_profile` table.
+
+# Admin Backend Logout
+
+The logout from Adobe IMS Service is performed when Magento Admin User is logged out.
+It's triggered by the event `controller_action_predispatch_adminhtml_auth_logout`
+
+Token is invalidated with a call, if it's successful, the access and refresh token are deleted in the `adobe_user_profile` table.

app/code/Magento/AdminAdobeIms/Service/ImsConfig.php

@@ -26,6 +26,7 @@ class ImsConfig extends Config
     public const XML_PATH_AUTH_URL_PATTERN = 'adobe_ims/integration/auth_url_pattern';
     public const XML_PATH_PROFILE_URL = 'adobe_ims/integration/profile_url';
     private const OAUTH_CALLBACK_URL = 'adobe_ims_auth/oauth/';
+    public const XML_PATH_LOGOUT_URL = 'adobe_ims/integration/logout_url';
 
     /**
      * @var ScopeConfigInterface
@@ -132,7 +133,6 @@ public function disableModule(): void
     }
 
     /**
-     * Update config
      * Get Profile URL
      *
      * @return string
@@ -147,6 +147,8 @@ public function getProfileUrl(): string
     }
 
     /**
+     * Update config using config writer
+     *
      * @param string $path
      * @param string $value
      * @return void
@@ -232,6 +234,21 @@ private function getLocale(): string
         return $this->scopeConfig->getValue(Custom::XML_PATH_GENERAL_LOCALE_CODE);
     }
 
+    /**
+     * Get BackendLogout URL
+     *
+     * @param string $accessToken
+     * @return string
+     */
+    public function getBackendLogoutUrl(string $accessToken) : string
+    {
+        return str_replace(
+            ['#{access_token}', '#{client_secret}', '#{client_id}'],
+            [$accessToken, $this->getPrivateKey(), $this->getApiKey()],
+            $this->scopeConfig->getValue(self::XML_PATH_LOGOUT_URL)
+        );
+    }
+
     /**
      * Retrieve Organization Id
      *

app/code/Magento/AdminAdobeIms/Test/Unit/Model/ImsConnectionTest.php

@@ -28,6 +28,11 @@ class ImsConnectionTest extends TestCase
 
     private const AUTH_URL_ERROR = 'https://adobe-login-url.com/authorize?error=invalid_scope';
 
+    /**
+     * @var CurlFactory
+     */
+    private $curlFactory;
+
     /**
      * @var ImsConnection
      */

app/code/Magento/AdminAdobeIms/etc/config.xml

@@ -14,6 +14,7 @@
                 <auth_url_pattern><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/authorize/v2?client_id=#{client_id}&amp;redirect_uri=#{redirect_uri}&amp;locale=#{locale}&amp;scope=openid,creative_sdk,email,profile,additional_info,additional_info.roles&amp;response_type=code]]></auth_url_pattern>
                 <token_url>https://ims-na1-stg1.adobelogin.com/ims/token</token_url>
                 <profile_url><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/profile/v1?client_id=#{client_id}]]></profile_url>
+                <logout_url><![CDATA[https://ims-na1-stg1.adobelogin.com/ims/logout/v1?access_token=#{access_token}&amp;client_id=#{client_id}&amp;client_secret=#{client_secret}]]></logout_url>
             </integration>
         </adobe_ims>
     </default>

app/code/Magento/AdminAdobeIms/etc/events.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Event/etc/events.xsd">
+    <event name="controller_action_predispatch_adminhtml_auth_logout">
+        <observer name="admin_adobe_ims_observer" instance="Magento\AdminAdobeIms\Observer\AdminLogoutObserver" />
+    </event>
+</config>