ENGCOM-6014: [WIP] Short-term admin accounts #22833 #22837

- Merge Pull Request #22837 from lfolco/magento2:project_pepe - Merged commits: 1. fa1f103 2. 451fae8 3. 70821f0 4. b17c54d 5. c0c6825 6. 6e2043e 7. 9136564 8. 37c9d12 9. 8b5bec6 10. 0b78cbb 11. 976076f 12. db95a0d 13. cf66338 14. c552e5f 15. f44ac3e 16. d5855ba 17. 439f565 18. c6f455d 19. 32f8741 20. a6511f5 21. ae08dad 22. 54882c3 23. ad4628b 24. 3c608fd 25. e4ec0e2 26. 13bfde2 27. e51bf0a 28. 185d640 29. 071f993 30. b407c8c 31. 47a9ed7 32. b631f9d 33. 6407af8 34. 75664d4 35. c384fab 36. cd53ca4 37. 581ace6 38. 13038fc 39. 2122209 40. 192f8e8 41. c5ac841 42. 57dda2e 43. 05fae71 44. 6378fe6 45. 1535364 46. c8e1e93 47. 437cbf0 48. 60f5710 49. 9e82e91 50. 61d3ffa 51. e87d4e6 52. bad8f2b 53. 6406d93 54. e13b5e4 55. 83e393e 56. d2538ad 57. b16de6b 58. b195ca0 59. 1089987 60. 581988a 61. f185806 62. d8c8473 63. 0f91a9d 64. 8036e29 65. 45d648f 66. 970510c 67. 78dc3b5 68. 171c4c9 69. 89b8512 70. bcef590 71. 627273b 72. 6b8e89e 73. 9e6f316 74. 20f2f0e 75. 1b1c12e 76. 91e0604 77. 47dfddb 78. c6f9e6b 79. df0c97c 80. babc965 81. 4c4149f 82. 33a5d36 83. 0ed4e6a 84. 74389d7 85. 5111c05 86. 9d8ce1c 87. 95fce13 88. 932559d 89. 7fee060 90. 5e6fdeb 91. 3a67bc8 92. b03b0a0 93. c8a41b7 94. 107cb5f 95. bef0bd5 96. 6ef861e 97. d65e609 98. c8cfb5b
magento · Mar 26, 2020 · 07048f6 · 07048f6
2 parents f3df323 + c8cfb5b
commit 07048f6
Show file tree

Hide file tree

Showing 42 changed files with 2,312 additions and 5 deletions.
diff --git a/app/code/Magento/Analytics/Test/Mftf/Test/AdminConfigurationPermissionTest.xml b/app/code/Magento/Analytics/Test/Mftf/Test/AdminConfigurationPermissionTest.xml
@@ -35,8 +35,9 @@
         <waitForPageLoad time="30" stepKey="wait2"/>
         <seeInField selector="{{AdminEditUserSection.usernameTextField}}" userInput="$$noReportUser.username$$" stepKey="seeUsernameInField"/>
         <fillField selector="{{AdminEditUserSection.currentPasswordField}}" userInput="{{_ENV.MAGENTO_ADMIN_PASSWORD}}" stepKey="fillCurrentPassword"/>
-        <click selector="{{AdminEditUserSection.userRoleTab}}" stepKey="clickUserRoleTab"/>
+        <scrollToTopOfPage stepKey="scrollToTopOfPage"/>
 
+        <click selector="{{AdminEditUserSection.userRoleTab}}" stepKey="clickUserRoleTab"/>
         <fillField selector="{{AdminEditUserSection.roleNameFilterTextField}}" userInput="$$noReportUserRole.rolename$$" stepKey="fillRoleNameSearch"/>
         <click selector="{{AdminEditUserSection.searchButton}}" stepKey="clickSearchButtonUserRole"/>
         <waitForPageLoad time="10" stepKey="wait3"/>

diff --git a/app/code/Magento/Security/Api/Data/UserExpirationInterface.php b/app/code/Magento/Security/Api/Data/UserExpirationInterface.php
@@ -0,0 +1,67 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Security\Api\Data;
+
+use \Magento\Security\Api\Data\UserExpirationExtensionInterface;
+
+/**
+ * Interface UserExpirationInterface to be used as a DTO for expires_at property on User model.
+ */
+interface UserExpirationInterface extends \Magento\Framework\Api\ExtensibleDataInterface
+{
+
+    public const EXPIRES_AT = 'expires_at';
+
+    public const USER_ID = 'user_id';
+
+    /**
+     * `expires_at` getter.
+     *
+     * @return string
+     */
+    public function getExpiresAt();
+
+    /**
+     * `expires_at` setter.
+     *
+     * @param string $expiresAt
+     * @return $this
+     */
+    public function setExpiresAt($expiresAt);
+
+    /**
+     * `user_id` getter.
+     *
+     * @return string
+     */
+    public function getUserId();
+
+    /**
+     * `user_id` setter.
+     *
+     * @param string $userId
+     * @return $this
+     */
+    public function setUserId($userId);
+
+    /**
+     * Retrieve existing extension attributes object or create a new one.
+     *
+     * @return \Magento\Security\Api\Data\UserExpirationExtensionInterface|null
+     */
+    public function getExtensionAttributes();
+
+    /**
+     * Set an extension attributes object.
+     *
+     * @param \Magento\Security\Api\Data\UserExpirationExtensionInterface $extensionAttributes
+     * @return $this
+     */
+    public function setExtensionAttributes(UserExpirationExtensionInterface $extensionAttributes);
+}
diff --git a/app/code/Magento/Security/Model/Plugin/AdminUserForm.php b/app/code/Magento/Security/Model/Plugin/AdminUserForm.php
@@ -0,0 +1,112 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Model\Plugin;
+
+use Magento\Framework\Stdlib\DateTime\TimezoneInterface;
+use Magento\Security\Model\ResourceModel\UserExpiration;
+use Magento\Security\Model\UserExpirationFactory;
+
+/**
+ * Add the `expires_at` form field to the User main form.
+ */
+class AdminUserForm
+{
+
+    /**
+     * @var TimezoneInterface
+     */
+    private $localeDate;
+
+    /**
+     * @var UserExpiration
+     */
+    private $userExpirationResource;
+
+    /**
+     * @var UserExpirationFactory
+     */
+    private $userExpirationFactory;
+
+    /**
+     * UserForm constructor.
+     *
+     * @param TimezoneInterface $localeDate
+     * @param UserExpirationFactory $userExpirationFactory
+     * @param UserExpiration $userExpirationResource
+     */
+    public function __construct(
+        TimezoneInterface $localeDate,
+        UserExpirationFactory $userExpirationFactory,
+        UserExpiration $userExpirationResource
+    ) {
+        $this->localeDate = $localeDate;
+        $this->userExpirationResource = $userExpirationResource;
+        $this->userExpirationFactory = $userExpirationFactory;
+    }
+
+    /**
+     * Add the `expires_at` field to the admin user edit form.
+     *
+     * @param \Magento\User\Block\User\Edit\Tab\Main $subject
+     * @param \Closure $proceed
+     * @return mixed
+     */
+    public function aroundGetFormHtml(
+        \Magento\User\Block\User\Edit\Tab\Main $subject,
+        \Closure $proceed
+    ) {
+        /** @var \Magento\Framework\Data\Form $form */
+        $form = $subject->getForm();
+        if (is_object($form)) {
+            $dateFormat = $this->localeDate->getDateFormat(
+                \IntlDateFormatter::MEDIUM
+            );
+            $timeFormat = $this->localeDate->getTimeFormat(
+                \IntlDateFormatter::MEDIUM
+            );
+            $fieldset = $form->getElement('base_fieldset');
+            $userIdField = $fieldset->getElements()->searchById('user_id');
+            $userExpirationValue = null;
+            if ($userIdField) {
+                $userId = $userIdField->getValue();
+                $userExpirationValue = $this->loadUserExpirationByUserId($userId);
+            }
+            $fieldset->addField(
+                'expires_at',
+                'date',
+                [
+                    'name' => 'expires_at',
+                    'label' => __('Expiration Date'),
+                    'title' => __('Expiration Date'),
+                    'date_format' => $dateFormat,
+                    'time_format' => $timeFormat,
+                    'class' => 'validate-date',
+                    'value' => $userExpirationValue,
+                ]
+            );
+
+            $subject->setForm($form);
+        }
+
+        return $proceed();
+    }
+
+    /**
+     * Loads a user expiration record by user ID.
+     *
+     * @param string $userId
+     * @return string
+     */
+    private function loadUserExpirationByUserId($userId)
+    {
+        /** @var \Magento\Security\Model\UserExpiration $userExpiration */
+        $userExpiration = $this->userExpirationFactory->create();
+        $this->userExpirationResource->load($userExpiration, $userId);
+        return $userExpiration->getExpiresAt();
+    }
+}
diff --git a/app/code/Magento/Security/Model/Plugin/AuthSession.php b/app/code/Magento/Security/Model/Plugin/AuthSession.php
@@ -7,6 +7,7 @@
 
 use Magento\Backend\Model\Auth\Session;
 use Magento\Security\Model\AdminSessionsManager;
+use Magento\Security\Model\UserExpirationManager;
 
 /**
  * Magento\Backend\Model\Auth\Session decorator
@@ -33,22 +34,32 @@ class AuthSession
      */
     protected $securityCookie;
 
+    /**
+     * @var UserExpirationManager
+     */
+    private $userExpirationManager;
+
     /**
      * @param \Magento\Framework\App\RequestInterface $request
      * @param \Magento\Framework\Message\ManagerInterface $messageManager
      * @param AdminSessionsManager $sessionsManager
      * @param \Magento\Security\Model\SecurityCookie $securityCookie
+     * @param UserExpirationManager|null $userExpirationManager
      */
     public function __construct(
         \Magento\Framework\App\RequestInterface $request,
         \Magento\Framework\Message\ManagerInterface $messageManager,
         AdminSessionsManager $sessionsManager,
-        \Magento\Security\Model\SecurityCookie $securityCookie
+        \Magento\Security\Model\SecurityCookie $securityCookie,
+        \Magento\Security\Model\UserExpirationManager $userExpirationManager = null
     ) {
         $this->request = $request;
         $this->messageManager = $messageManager;
         $this->sessionsManager = $sessionsManager;
         $this->securityCookie = $securityCookie;
+        $this->userExpirationManager = $userExpirationManager ?:
+            \Magento\Framework\App\ObjectManager::getInstance()
+                ->get(\Magento\Security\Model\UserExpirationManager::class);
     }
 
     /**
@@ -64,6 +75,11 @@ public function aroundProlong(Session $session, \Closure $proceed)
             $session->destroy();
             $this->addUserLogoutNotification();
             return null;
+        } elseif ($this->userExpirationManager->isUserExpired($session->getUser()->getId())) {
+            $this->userExpirationManager->deactivateExpiredUsersById([$session->getUser()->getId()]);
+            $session->destroy();
+            $this->addUserLogoutNotification();
+            return null;
         }
         $result = $proceed();
         $this->sessionsManager->processProlong();

diff --git a/app/code/Magento/Security/Model/Plugin/UserValidationRules.php b/app/code/Magento/Security/Model/Plugin/UserValidationRules.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Model\Plugin;
+
+use Magento\Security\Model\UserExpiration\Validator;
+
+/**
+ * \Magento\User\Model\UserValidationRules decorator
+ */
+class UserValidationRules
+{
+    /**@var Validator */
+    private $validator;
+
+    /**
+     * UserValidationRules constructor.
+     *
+     * @param Validator $validator
+     */
+    public function __construct(Validator $validator)
+    {
+        $this->validator = $validator;
+    }
+
+    /**
+     * Add the Expires At validator to user validation rules.
+     *
+     * @param \Magento\User\Model\UserValidationRules $userValidationRules
+     * @param \Magento\Framework\Validator\DataObject $result
+     * @return \Magento\Framework\Validator\DataObject
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterAddUserInfoRules(\Magento\User\Model\UserValidationRules $userValidationRules, $result)
+    {
+        return $result->addRule($this->validator, 'expires_at');
+    }
+}
diff --git a/app/code/Magento/Security/Model/ResourceModel/UserExpiration.php b/app/code/Magento/Security/Model/ResourceModel/UserExpiration.php
@@ -0,0 +1,88 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Model\ResourceModel;
+
+/**
+ * Admin User Expiration resource model
+ */
+class UserExpiration extends \Magento\Framework\Model\ResourceModel\Db\AbstractDb
+{
+
+    /**
+     * Flag that notifies whether Primary key of table is auto-incremented
+     *
+     * @var bool
+     */
+    protected $_isPkAutoIncrement = false;
+
+    /**
+     * @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface
+     */
+    private $timezone;
+
+    /**
+     * UserExpiration constructor.
+     *
+     * @param \Magento\Framework\Model\ResourceModel\Db\Context $context
+     * @param \Magento\Framework\Stdlib\DateTime\TimezoneInterface $timezone
+     * @param string $connectionName
+     */
+    public function __construct(
+        \Magento\Framework\Model\ResourceModel\Db\Context $context,
+        \Magento\Framework\Stdlib\DateTime\TimezoneInterface $timezone,
+        ?string $connectionName = null
+    ) {
+        parent::__construct($context, $connectionName);
+        $this->timezone = $timezone;
+    }
+
+    /**
+     * Define main table
+     *
+     * @return void
+     */
+    protected function _construct()
+    {
+        $this->_init('admin_user_expiration', 'user_id');
+    }
+
+    /**
+     * Convert to UTC time.
+     *
+     * @param \Magento\Framework\Model\AbstractModel $userExpiration
+     * @return $this
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    protected function _beforeSave(\Magento\Framework\Model\AbstractModel $userExpiration)
+    {
+        /** @var $userExpiration \Magento\Security\Model\UserExpiration */
+        $expiresAt = $userExpiration->getExpiresAt();
+        $utcValue = $this->timezone->convertConfigTimeToUtc($expiresAt);
+        $userExpiration->setExpiresAt($utcValue);
+
+        return $this;
+    }
+
+    /**
+     * Convert to store time.
+     *
+     * @param \Magento\Framework\Model\AbstractModel $userExpiration
+     * @return $this|\Magento\Framework\Model\ResourceModel\Db\AbstractDb
+     * @throws \Exception
+     */
+    protected function _afterLoad(\Magento\Framework\Model\AbstractModel $userExpiration)
+    {
+        /** @var $userExpiration \Magento\Security\Model\UserExpiration */
+        if ($userExpiration->getExpiresAt()) {
+            $storeValue = $this->timezone->date($userExpiration->getExpiresAt());
+            $userExpiration->setExpiresAt($storeValue->format('Y-m-d H:i:s'));
+        }
+
+        return $this;
+    }
+}