Skip to content

Commit

Permalink
deactivate expired users on session prolong (magento#22833)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lfolco
lfolco committed Oct 19, 2019
1 parent df0c97c commit babc965
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 10 deletions.
8 changes: 6 additions & 2 deletions app/code/Magento/Security/Model/Plugin/AuthSession.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,12 @@ public function __construct(
*/
public function aroundProlong(Session $session, \Closure $proceed)
{
if (!$this->sessionsManager->getCurrentSession()->isLoggedInStatus() ||
$this->userExpirationManager->isUserExpired($session->getUser()->getId())) {
if (!$this->sessionsManager->getCurrentSession()->isLoggedInStatus()) {
$session->destroy();
$this->addUserLogoutNotification();
return null;
} elseif ($this->userExpirationManager->isUserExpired($session->getUser()->getId())) {
$this->userExpirationManager->deactivateExpiredUsers([$session->getUser()->getId()]);
$session->destroy();
$this->addUserLogoutNotification();
return null;
Expand Down
53 changes: 53 additions & 0 deletions app/code/Magento/Security/Test/Mftf/Test/AdminNavigateWhileUserExpiredTest.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">

<test name="AdminNavigateWhileUserExpiredTest">
<annotations>
<features value="Security"/>
<stories value="Navigate to an admin page after user expiration date passes."/>
<title value="Navigate to an admin page after user expiration date passes"/>
<description value="Navigate to an admin page after user expiration date passes."/>
<testCaseId value="" />
<severity value="CRITICAL"/>
<group value="security"/>
</annotations>

<before>
<actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>
</before>
<after>
<actionGroup ref="logout" stepKey="logout"/>
</after>

<!-- Create user -->
<actionGroup ref="AdminOpenNewUserPageActionGroup" stepKey="openNewUserPage" />
<generateDate date="+2 minute" format="M d, Y g:i:s A" stepKey="expiresDateTime"/>
<actionGroup ref="AdminFillInUserWithExpirationActionGroup" stepKey="fillInNewUserWithValidExpiration">
<argument name="expires_at" value="{$expiresDateTime}"/>
</actionGroup>
<grabValueFrom selector="{{AdminNewUserFormSection.username}}" stepKey="grabUsername"/>
<grabValueFrom selector="{{AdminNewUserFormSection.password}}" stepKey="grabPassword"/>
<scrollToTopOfPage stepKey="scrollToTopOfPage"/>
<click selector="{{AdminNewUserFormSection.userInfoTab}}" stepKey="openUserInfoTab"/>
<actionGroup ref="AdminSaveUserSuccessActionGroup" stepKey="saveNewUserWithValidExpirationSuccess"/>
<actionGroup ref="logout" stepKey="logout"/>

<!-- Login as that user -->
<actionGroup ref="LoginAdminWithCredentialsActionGroup" stepKey="loginAsNewAdmin">
<argument name="adminUser" value="{$grabUsername}"/>
<argument name="adminPassword" value="{$grabPassword}"/>
</actionGroup>
<actionGroup ref="AssertAdminDashboardPageIsVisibleActionGroup" stepKey="seeDashboardPage"/>
<wait time="120" stepKey="waitForUserToExpire"/>
<amOnPage url="{{AdminCustomerPage.url}}" stepKey="navigateToCustomers"/>
<!-- Confirm that user is logged out -->
<seeInCurrentUrl url="{{AdminLoginPage.url}}" stepKey="seeAdminLoginUrl"/>

<!-- Delete created user -->
<actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>
<actionGroup ref="AdminDeleteCustomUserActionGroup" stepKey="deleteUser">
<argument name="user" value="NewAdminUser"/>
</actionGroup>
</test>
</tests>
20 changes: 12 additions & 8 deletions app/code/Magento/Security/Test/Unit/Model/Plugin/AuthSessionTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public function setUp()

$this->userExpirationManagerMock = $this->createPartialMock(
\Magento\Security\Model\UserExpirationManager::class,
['isUserExpired']
['isUserExpired', 'deactivateExpiredUsers']
);

$this->userMock = $this->createMock(\Magento\User\Model\User::class);
Expand Down Expand Up @@ -188,27 +188,31 @@ public function testAroundProlongSessionIsActiveUserIsExpired()
->method('isLoggedInStatus')
->willReturn(true);

$this->authSessionMock->expects($this->once())
$this->authSessionMock->expects($this->exactly(2))
->method('getUser')
->willReturn($this->userMock);

$this->userMock->expects($this->once())
$this->userMock->expects($this->exactly(2))
->method('getId')
->willReturn($adminUserId);

$this->requestMock->expects($this->once())
->method('getParam')
->with('isAjax')
->willReturn(false);

$this->userExpirationManagerMock->expects($this->once())
->method('isUserExpired')
->with($adminUserId)
->willReturn(true);

$this->userExpirationManagerMock->expects($this->once())
->method('deactivateExpiredUsers')
->with([$adminUserId]);

$this->authSessionMock->expects($this->once())
->method('destroy');

$this->requestMock->expects($this->once())
->method('getParam')
->with('isAjax')
->willReturn(false);

$this->adminSessionsManagerMock->expects($this->once())
->method('getLogoutReasonMessage')
->willReturn($errorMessage);
Expand Down
3 changes: 3 additions & 0 deletions dev/tests/integration/testsuite/Magento/Security/Model/Plugin/AuthSessionTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ public function testProcessProlongWithExpiredUser()

$expireDate = new \DateTime();
$expireDate->modify('-10 days');
/** @var \Magento\User\Model\User $user */
$user = $this->objectManager->create(\Magento\User\Model\User::class);
$user->loadByUsername(\Magento\TestFramework\Bootstrap::ADMIN_NAME);
$userExpirationFactory = $this->objectManager->create(\Magento\Security\Model\UserExpirationFactory::class);
Expand All @@ -178,5 +179,7 @@ public function testProcessProlongWithExpiredUser()
$this->adminSessionInfo->load($sessionId, 'session_id');
$this->authSession->prolong();
static::assertFalse($this->auth->isLoggedIn());
$user->reload();
static::assertFalse((bool)$user->getIsActive());
}
}

0 comments on commit babc965

Please sign in to comment.