Merge pull request #7654 from magento-performance/CABPI-398-no-test

CABPI-425: SignIn with AdobeID Button is missing on Login Page

Author: andimov

app/code/Magento/AdminAdobeIms/Console/Command/AdminAdobeImsEnableCommand.php

@@ -46,7 +46,7 @@ class AdminAdobeImsEnableCommand extends Command
     /**
      * Name of "two-factor-auth" input option
      */
-    private const TWO_FACTOR_AUTH_ARGUMENT = '2fa-auth';
+    private const TWO_FACTOR_AUTH_ARGUMENT = '2fa';
 
     /**
      * @var ImsConfig
@@ -119,7 +119,8 @@ public function __construct(
                     self::TWO_FACTOR_AUTH_ARGUMENT,
                     't',
                     InputOption::VALUE_OPTIONAL,
-                    'Check if 2FA Auth is enabled on Adobe IMS Side. Enables or disables the Magento 2FA'
+                    'Check if 2FA is enabled for Organization in Adobe Admin Console. ' .
+                    'Required when enabling the module'
                 )
             ]);
     }
@@ -169,7 +170,7 @@ protected function execute(InputInterface $input, OutputInterface $output): ?int
             }
 
             throw new LocalizedException(
-                __('The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
+                __('The Client ID, Client Secret, Organization ID and 2FA are required ' .
                     'when enabling the Admin Adobe IMS Module')
             );
         } catch (\Exception $e) {

app/code/Magento/AdminAdobeIms/README.md

@@ -1,13 +1,12 @@
 # Magento_Admin_Adobe_Ims module
-
 The Magento_Admin_Adobe_Ims module contains integration with Adobe IMS for backend authentication.
 
 For information about module installation in Magento 2, see [Enable or disable modules](https://devdocs.magento.com/guides/v2.4/install-gde/install/cli/install-cli-subcommands-enable.html).
 
 # CLI command usage:
 ## bin/magento admin:adobe-ims:enable
 Enables the AdminAdobeIMS Module. \
-Required values are `Organization ID`, `Client ID` and `Client Secret`
+Required values are `Organization ID`, `Client ID`, `Client Secret` and `2FA enabled`
 
 ### Argument Validation
 On enabling the AdminAdobeIMS Module, the input arguments will be validated. \
@@ -19,6 +18,7 @@ The pattern for the validation are configured in the di.xml
         <argument name="organizationIdRegex" xsi:type="string"><![CDATA[/^([A-Z0-9]{24})(@AdobeOrg)?$/i]]></argument>
         <argument name="clientIdRegex" xsi:type="string"><![CDATA[/[^a-z_\-0-9]/i]]></argument>
         <argument name="clientSecretRegex" xsi:type="string"><![CDATA[/[^a-z_\-0-9]/i]]></argument>
+        <argument name="twoFactorAuthRegex" xsi:type="string"><![CDATA[/^y/i]]></argument>
     </arguments>
 </type>
 ```
@@ -27,6 +27,7 @@ We check if the arguments are not empty, as they are all required.
 
 For the Organization ID, Client ID and Client Secret, we check if they contain only alphanumeric characters. \
 Additionally for the Organization ID, we check if it matches 24 characters and optional has the suffix `@AdobeOrg`. But we only store the ID and ignore the suffix.
+Also make sure 2FA is enabled for the Organization in Adobe Admin Console.
 
 ## bin/magento admin:adobe-ims:disable
 Disables the AdminAdobeIMS Module.
@@ -44,7 +45,6 @@ Client Secret configured
 If Admin Adobe Ims module is disabled, cli command will show message "Module is disabled"
 
 # Admin Login design
-
 The admin login design changes when the AdminAdobeIms module is enabled and configured correctly via the CLI command.
 We have added the customer layout handle `adobe_ims_login` to deal with all the design changes.
 This handle is added via `\Magento\AdminAdobeIms\Plugin\AddAdobeImsLayoutHandlePlugin::afterAddDefaultHandle`.
@@ -59,24 +59,21 @@ We have included the minified css and the used svgs from Spectrum CSS with our m
 To rebuild the minified css run the command `./node_modules/.bin/postcss -o dist/index.min.css index.css` after npm install from inside the web directory.
 
 # AdminAdobeIMS Callback
-
 For the AdobeIMS Login we provide a redirect_uri on the request. After a successful Login in AdobeIMS, we get redirected to provided redirect_uri.
 
 In the ImsCallback Controller we get the access_token and then the user profile.
-We then check if the assigned organization is valid and if the user does exist in the magento database, before we complete the user login in Magento.
+We then check if the assigned organization is valid and if the user does exist in the Magento database, before we complete the user login in Magento.
 
 If there went something wrong during the authorization, the user gets redirected to the admin login page and an error message is shown.
 
 # Organization ID Validation
-
 During the authorization we check if the configured `Organization ID` provided on the enabling CLI command is assigned to the user.
 
 In the profile response from Adobe IMS must be a `roles` array. There we have all assigned organizations to the user.
 
 We compare if the configured organization ID does exist in this array and also the structure of the organization ID is valid.
 
 # Admin Backend Login
-
 Login with the help Adobe IMS Service is implemented. The redirect to Adobe IMS Service is performed-
 The redirect from Adobe IMS is done to \Magento\AdminAdobeIms\Controller\Adminhtml\OAuth\ImsCallback controller.
 
@@ -97,14 +94,12 @@ If token is valid, value token_last_check_time will be updated to current time a
 If token is not valid, session will be destroyed.
 
 # Admin Backend Logout
-
 The logout from Adobe IMS Service is performed when Magento Admin User is logged out.
 It's triggered by the event `controller_action_predispatch_adminhtml_auth_logout`
 
-We do external LogOut by call to IMS. Session revoke is standard magento behavior
+We do external LogOut by call to IMS. Session revoke is standard Magento behavior
 
 # Admin Created Email
-
 We created an Observer for the `admin_user_save_after` event. \
 There we check if the customer object is newly created or not. \
 When a new admin user got created in Magento, he will then receive an email with further information on how to login.
@@ -117,11 +112,11 @@ The notification mail will be sent inside our `AdminNotificationService` where w
 # Error Handling
 For the AdminAdobeIms Module we have two specific error messages and one general error message which are shown on the Admin Login page when an error occured.
 
-###AdobeImsTokenAuthorizationException
+### AdobeImsTokenAuthorizationException
 Will be thrown when there was an error during the authorization. \
-e. g. a call to AdobeIMS fails or there was no matching admin found in the magento database.
+e. g. a call to AdobeIMS fails or there was no matching admin found in the Magento database.
 
-###AdobeImsOrganizationAuthorizationException
+### AdobeImsOrganizationAuthorizationException
 Will be thrown when the admin user who wants to log in does not have the configured organization ID assigned to his AdobeIMS Profile.
 
 ### Error logging
@@ -133,28 +128,28 @@ Logging can be enabled or disabled in the config on changing the value for `adob
 There you can switch the toggle for `Enable Logging for Admin Adobe IMS Module`
 
 # Password usage in Admin UI
-When the AdobeAdminIMS Module is enabled, we do not need any password fields in the magento admin backend anymore.
+When the AdobeAdminIMS Module is enabled, we do not need any password fields in the Magento admin backend anymore.
 
-So we hide the "Current User Verification" fields and removed the "Password" and "Password Confirmation" fields of the user forms.
-This is done by the Plugin `\Magento\AdminAdobeIms\Plugin\RemovePasswordAndUserConfirmationFormFieldsPlugin`.
-Here we remove the password and password confirmation field, and hide the current user verification fieldset. 
+So we removed the "Password" and "Password Confirmation" fields of the user forms.
+This is done by the plugin `\Magento\AdminAdobeIms\Plugin\RemovePasswordAndUserConfirmationFormFieldsPlugin`.
+Here we remove the password and password confirmation field. 
 As the verification field is just hidden, we set a random password to bypass the input filters of the Save and Delete user Classes.
-The `\Magento\AdminAdobeIms\Plugin\RemoveUserValidationRulesPlugin` Plugin is required to remove the password fields from the form validation.
+The `\Magento\AdminAdobeIms\Plugin\RemoveUserValidationRulesPlugin` plugin is required to remove the password fields from the form validation.
+We update the "Current User Identity Verification" fieldset to add "Verify Identity with Adobe IMS" button instead "Your Password" field.
+This is done by the plugins: `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\User\Edit\Tab\AddReAuthVerification`, `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\System\Account\Edit\AddReAuthVerification`, `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\User\Role\Tab\AddReAuthVerification` and `Magento\AdminAdobeIms\Plugin\Block\Adminhtml\Integration\Edit\Tab\AddReAuthVerification`.
 
-As we don't show the current user verification field anymore, we have the `\Magento\AdminAdobeIms\Plugin\ReplaceVerifyIdentityWithImsPlugin` Plugin to verify the `access_token` of the current admin user in AdobeIMS and only proceed when it is still valid.
+As we update the current user verification field, we have the `\Magento\AdminAdobeIms\Plugin\ReplaceVerifyIdentityWithImsPlugin` plugin to verify the `AdobeReAuthToken` of the current admin user in AdobeIMS and only proceed when it is valid.
 
 For the newly created user will be a random password generated, as we did not modify the admin_user table, where the password field can not be null. 
 This is done in the `\Magento\AdminAdobeIms\Plugin\UserSavePlugin`.
 
-We also disabled the "Change password in 30 days" functionally, as we don't need the magento admin user password for the login.
+We also disabled the "Change password in 30 days" functionally, as we don't need the Magento admin user password for the login.
 This can be found in the `\Magento\AdminAdobeIms\Plugin\DisableForcedPasswordChangePlugin` and `\Magento\AdminAdobeIms\Plugin\DisablePasswordResetPlugin` Plugins.
 
 When the AdminAdobeIMS Module is disabled, the user can not be log in when using an empty password.
 Instead, the forgot password function must be used to reset the password.
 
-
 # WEB API authentication using IMS ACCESS_TOKEN
-
 When Admin Adobe IMS is enabled, Adobe Commerce admin users will stop having credentials (username and password).
 These admin user credentials are needed for getting token that can be used to make requests to admin web APIs.
 It means that will be not possible to create token because admin doesn't have credentials. In these case we have to use IMS access token.
@@ -177,7 +172,7 @@ Magento has setting: Stores > Settings > Configuration > Services > OAuth > Acce
 Both of values are checked in function isTokenExpired \Magento\AdminAdobeIms\Model\TokenReader.
 it means that with default values is not possible to use tokens that older than 4h.
 
-###IMS access token verification.
+### IMS access token verification.
 To verify token a public key is required. For more info https://wiki.corp.adobe.com/display/ims/IMS+public+key+retrieval 
 In Admin Adobe Ims module was defined path where certificate has to be downloaded from.
 By default, in config.xml, these value for production.
@@ -201,9 +196,8 @@ Examples, how developers can test functionality:
 curl -X GET "{domain}/rest/V1/customers/2" -H "Authorization: Bearer AddAdobeImsAccessToken"
 curl -X GET "{domain}/rest/V1/products/24-MB01" -H "Authorization: Bearer AddAdobeImsAccessToken"
 
-###Two-factor authentication.
-
-During CLI enablement of the module, the admin user is asked, whether 2FA is enabled for him on Adobe side.
+### Two-factor authentication.
+During CLI enablement of the module, the admin user is asked, whether 2FA is enabled for Organization in Adobe Admin Console.
 If the answer is yes, Magento TFA module (if it's present in the code base), should be disable.
 
 For this purpose the additional config value was added, this config value is read by Magento_TwoFactorAuth module.
@@ -222,4 +216,4 @@ When the form will be submitted, we verify the identity with the `Magento/AdminA
 Here the existens of the `AdobeAccessToken` and `AdobeReAuthToken` will be checked.
 The reauth_token will be used to call the AdobeIms validateToken Endpoint.
 
-When this call is successfull, the form will be submitted, otherwise we update the Message of the thrown `AuthenticationException` to return a matching error message, done by the `Magento/AdminAdobeIms/Plugin/PerformIdentityCheckMessagePlugin.php` Plugin.
+When this call is successful, the form will be submitted, otherwise we update the Message of the thrown `AuthenticationException` to return a matching error message, done by the `Magento/AdminAdobeIms/Plugin/PerformIdentityCheckMessagePlugin.php` Plugin.

app/code/Magento/AdminAdobeIms/Service/ImsCommandOptionService.php

@@ -22,9 +22,9 @@ class ImsCommandOptionService
     private const OPTION_QUESTION = 'Please enter your %s:';
 
     /**
-     * Prompt for 2FA Auth CLI Command option
+     * Prompt for 2FA CLI Command option
      */
-    private const TWO_FACTOR_OPTION_QUESTION = 'Is 2FA enabled on AdobeIMS? (yes/no):';
+    private const TWO_FACTOR_OPTION_QUESTION = 'Is 2FA enabled for Organization in Adobe Admin Console? (yes/no):';
 
     /**
      * Human-readable name for Organization ID input option

app/code/Magento/AdminAdobeIms/Service/ImsConfig.php

@@ -121,7 +121,7 @@ public function enableModule(
     ): void {
         if (!$isAdobeIms2FAEnabled) {
             throw new LocalizedException(
-                __('2FA Auth is required when enabling the Admin Adobe IMS Module')
+                __('2FA is required when enabling the Admin Adobe IMS Module')
             );
         }
 

app/code/Magento/AdminAdobeIms/Test/Mftf/Data/ClientCredentialsData.xml

@@ -9,8 +9,8 @@
 <entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:noNamespaceSchemaLocation="urn:magento:mftf:DataGenerator/etc/dataProfileSchema.xsd">
     <entity name="ClientCredentialsData">
-        <data key="org_id">{{_CREDS.magento/admin_adobe_ims/org_id}}</data>
-        <data key="client_id">{{_CREDS.magento/admin_adobe_ims/client_id}}</data>
-        <data key="client_key">{{_CREDS.magento/admin_adobe_ims/client_key}}</data>
+        <data key="org_id">{{_CREDS.magento/admin_adobe_ims_org_id}}</data>
+        <data key="client_id">{{_CREDS.magento/admin_adobe_ims_client_id}}</data>
+        <data key="client_key">{{_CREDS.magento/admin_adobe_ims_client_key}}</data>
     </entity>
 </entities>

app/code/Magento/AdminAdobeIms/Test/Unit/Command/AdminAdobeImsEnableCommandTest.php

@@ -171,23 +171,23 @@ public function cliCommandProvider(): array
                 false,
                 $this->never(),
                 $this->never(),
-                '<error>The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
+                '<error>The Client ID, Client Secret, Organization ID and 2FA are required ' .
                 'when enabling the Admin Adobe IMS Module</error>',
                 true
             ],
             [
                 true,
                 $this->never(),
                 $this->never(),
-                '<error>The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
+                '<error>The Client ID, Client Secret, Organization ID and 2FA are required ' .
                 'when enabling the Admin Adobe IMS Module</error>',
                 false
             ],
             [
                 false,
                 $this->never(),
                 $this->never(),
-                '<error>The Client ID, Client Secret, Organization ID and 2FA Auth are required ' .
+                '<error>The Client ID, Client Secret, Organization ID and 2FA are required ' .
                 'when enabling the Admin Adobe IMS Module</error>',
                 false
             ]

app/code/Magento/AdminAdobeIms/ViewModel/LinkViewModel.php

@@ -9,23 +9,56 @@
 
 use Magento\AdminAdobeIms\Model\ImsConnection;
 use Magento\Framework\Exception\InvalidArgumentException;
+use Magento\Framework\Message\ManagerInterface as MessageManagerInterface;
 use Magento\Framework\View\Element\Block\ArgumentInterface;
+use Psr\Log\LoggerInterface;
 
 class LinkViewModel implements ArgumentInterface
 {
-    /** @var string */
-    private string $authUrl;
+    /**
+     * @var string|null
+     */
+    private ?string $authUrl;
+
+    /**
+     * @var LoggerInterface
+     */
+    private LoggerInterface $logger;
+
+    /**
+     * @var MessageManagerInterface
+     */
+    private MessageManagerInterface $messageManager;
 
     /**
      * @param ImsConnection $connection
+     * @param LoggerInterface $logger
+     * @param MessageManagerInterface $messageManager
      */
     public function __construct(
-        ImsConnection $connection
+        ImsConnection $connection,
+        LoggerInterface $logger,
+        MessageManagerInterface $messageManager
     ) {
+        $this->logger = $logger;
+        $this->messageManager = $messageManager;
+
         try {
             $this->authUrl = $connection->auth();
-        } catch (InvalidArgumentException $exception) {
-            $this->authUrl = '';
+        } catch (InvalidArgumentException $e) {
+            $this->logger->error($e->getMessage());
+            $this->authUrl = null;
+            $this->addImsErrorMessage(
+                'Could not connect to Adobe IMS.',
+                $e->getMessage()
+            );
+        } catch (\Exception $e) {
+            $this->logger->error($e->getMessage());
+            $this->authUrl = null;
+            $this->addImsErrorMessage(
+                'Could not connect to Adobe IMS.',
+                'Something went wrong during Adobe IMS connection check.'
+            );
         }
     }
 
@@ -42,10 +75,28 @@ public function isActive(): bool
     /**
      * Get authorization URL for Login Button
      *
-     * @return string
+     * @return string|null
      */
-    public function getButtonLink(): string
+    public function getButtonLink(): ?string
     {
         return $this->authUrl;
     }
+
+    /**
+     * Add Admin Adobe IMS Error Message
+     *
+     * @param string $headline
+     * @param string $message
+     * @return void
+     */
+    private function addImsErrorMessage(string $headline, string $message): void
+    {
+        $this->messageManager->addComplexErrorMessage(
+            'adminAdobeImsMessage',
+            [
+                'headline' => __($headline)->getText(),
+                'message' => __($message)->getText()
+            ]
+        );
+    }
 }