AC-1619: Integration access tokens do not work as Bearer tokens

Author: nathanjosiah

app/code/Magento/Integration/Model/CompositeTokenReader.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Model;
+
+use Magento\Integration\Api\Data\UserToken;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+
+/**
+ * Checks multiple sources for reading a token
+ */
+class CompositeTokenReader implements UserTokenReaderInterface
+{
+    /**
+     * @var UserTokenReaderInterface[]
+     */
+    private $readers;
+
+    /**
+     * @param UserTokenReaderInterface[] $readers
+     */
+    public function __construct(array $readers)
+    {
+        $this->readers = $readers;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function read(string $token): UserToken
+    {
+        foreach ($this->readers as $reader) {
+            try {
+                return $reader->read($token);
+            } catch (UserTokenException $exception) {
+                continue;
+            }
+        }
+
+        throw new UserTokenException('Composite reader could not read a token');
+    }
+}

app/code/Magento/Integration/Model/OpaqueToken/Reader.php

@@ -8,14 +8,20 @@
 
 namespace Magento\Integration\Model\OpaqueToken;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Integration\Api\Data\UserToken;
 use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\IntegrationServiceInterface;
 use Magento\Integration\Api\UserTokenReaderInterface;
 use Magento\Integration\Model\CustomUserContext;
 use Magento\Integration\Model\Oauth\Token;
 use Magento\Integration\Model\Oauth\TokenFactory;
 use Magento\Integration\Helper\Oauth\Data as OauthHelper;
+use Magento\Webapi\Model\Authorization\AuthorizationConfig;
 
+/**
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class Reader implements UserTokenReaderInterface
 {
     /**
@@ -28,22 +34,67 @@ class Reader implements UserTokenReaderInterface
      */
     private $helper;
 
+    /**
+     * @var AuthorizationConfig
+     */
+    private $authorizationConfig;
+
+    /**
+     * @var IntegrationServiceInterface
+     */
+    private IntegrationServiceInterface $integrationService;
+
     /**
      * @param TokenFactory $tokenFactory
      * @param OauthHelper $helper
+     * @param AuthorizationConfig|null $authorizationConfig
+     * @param IntegrationServiceInterface|null $integrationService
      */
-    public function __construct(TokenFactory $tokenFactory, OauthHelper $helper)
-    {
+    public function __construct(
+        TokenFactory $tokenFactory,
+        OauthHelper $helper,
+        ?AuthorizationConfig $authorizationConfig = null,
+        ?IntegrationServiceInterface $integrationService = null
+    ) {
         $this->tokenFactory = $tokenFactory;
         $this->helper = $helper;
+        $this->authorizationConfig = $authorizationConfig ?? ObjectManager::getInstance()
+            ->get(AuthorizationConfig::class);
+        $this->integrationService = $integrationService ?? ObjectManager::getInstance()
+            ->get(IntegrationServiceInterface::class);
     }
 
     /**
      * @inheritDoc
      */
     public function read(string $token): UserToken
     {
-        /** @var Token $tokenModel */
+
+        $tokenModel = $this->getTokenModel($token);
+        $userType = (int) $tokenModel->getUserType();
+        $this->validateUserType($userType);
+        $userId = $this->getUserId($tokenModel);
+
+        $issued = \DateTimeImmutable::createFromFormat(
+            'Y-m-d H:i:s',
+            $tokenModel->getCreatedAt(),
+            new \DateTimeZone('UTC')
+        );
+        $lifetimeHours = $userType === CustomUserContext::USER_TYPE_ADMIN
+            ? $this->helper->getAdminTokenLifetime() : $this->helper->getCustomerTokenLifetime();
+        $expires = $issued->add(new \DateInterval("PT{$lifetimeHours}H"));
+
+        return new UserToken(new CustomUserContext((int) $userId, (int) $userType), new Data($issued, $expires));
+    }
+
+    /**
+     * Create the token model from the input
+     *
+     * @param string $token
+     * @return Token
+     */
+    private function getTokenModel(string $token): Token
+    {
         $tokenModel = $this->tokenFactory->create();
         $tokenModel = $tokenModel->load($token, 'token');
 
@@ -53,27 +104,49 @@ public function read(string $token): UserToken
         if ($tokenModel->getRevoked()) {
             throw new UserTokenException('Token was revoked');
         }
-        $userType = (int) $tokenModel->getUserType();
-        if ($userType !== CustomUserContext::USER_TYPE_ADMIN && $userType !== CustomUserContext::USER_TYPE_CUSTOMER) {
+
+        return $tokenModel;
+    }
+
+    /**
+     * Validate the given user type
+     *
+     * @param int $userType
+     */
+    private function validateUserType(int $userType): void
+    {
+        if ($userType === CustomUserContext::USER_TYPE_INTEGRATION) {
+            if (!$this->authorizationConfig->isIntegrationAsBearerEnabled()) {
+                throw new UserTokenException('Invalid token found');
+            }
+        } elseif ($userType !== CustomUserContext::USER_TYPE_ADMIN
+            && $userType !== CustomUserContext::USER_TYPE_CUSTOMER
+        ) {
             throw new UserTokenException('Invalid token found');
         }
+    }
+
+    /**
+     * Determine the user id for a given token
+     *
+     * @param Token $tokenModel
+     * @return int
+     */
+    private function getUserId(Token $tokenModel): int
+    {
+        $userType = (int)$tokenModel->getUserType();
+
         if ($userType === CustomUserContext::USER_TYPE_ADMIN) {
             $userId = $tokenModel->getAdminId();
+        } elseif ($userType === CustomUserContext::USER_TYPE_INTEGRATION) {
+            $userId = $this->integrationService->findByConsumerId($tokenModel->getConsumerId())->getId();
         } else {
             $userId = $tokenModel->getCustomerId();
         }
         if (!$userId) {
             throw new UserTokenException('Invalid token found');
         }
-        $issued = \DateTimeImmutable::createFromFormat(
-            'Y-m-d H:i:s',
-            $tokenModel->getCreatedAt(),
-            new \DateTimeZone('UTC')
-        );
-        $lifetimeHours = $userType === CustomUserContext::USER_TYPE_ADMIN
-            ? $this->helper->getAdminTokenLifetime() : $this->helper->getCustomerTokenLifetime();
-        $expires = $issued->add(new \DateInterval("PT{$lifetimeHours}H"));
 
-        return new UserToken(new CustomUserContext((int) $userId, (int) $userType), new Data($issued, $expires));
+        return $userId;
     }
 }

app/code/Magento/Integration/Model/UserToken/ExpirationValidator.php

@@ -8,6 +8,7 @@
 
 namespace Magento\Integration\Model\UserToken;
 
+use Magento\Authorization\Model\UserContextInterface;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Integration\Api\Data\UserToken;
 use Magento\Integration\Api\UserTokenValidatorInterface;
@@ -33,7 +34,9 @@ public function __construct(DtUtil $datetimeUtil)
      */
     public function validate(UserToken $token): void
     {
-        if ($token->getData()->getExpires()->getTimestamp() <= $this->datetimeUtil->gmtTimestamp()) {
+        if ($token->getUserContext()->getUserType() !== UserContextInterface::USER_TYPE_INTEGRATION
+            && $token->getData()->getExpires()->getTimestamp() <= $this->datetimeUtil->gmtTimestamp()
+        ) {
             throw new AuthorizationException(__('Consumer key has expired'));
         }
     }

app/code/Magento/Integration/Test/Unit/Model/CompositeTokenReaderTest.php

@@ -0,0 +1,69 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Test\Unit\Model;
+
+use Magento\Integration\Api\Data\UserToken;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+use Magento\Integration\Model\CompositeTokenReader;
+use PHPUnit\Framework\TestCase;
+
+class CompositeTokenReaderTest extends TestCase
+{
+    public function testCompositeReaderReturnsFirstToken()
+    {
+        $token1 = $this->createMock(UserToken::class);
+        $reader1 = $this->createMock(UserTokenReaderInterface::class);
+        $reader1->method('read')
+            ->with('abc')
+            ->willReturn($token1);
+
+        $token2 = $this->createMock(UserToken::class);
+        $reader2 = $this->createMock(UserTokenReaderInterface::class);
+        $reader2->method('read')
+            ->with('abc')
+            ->willReturn($token2);
+
+        $composite = new CompositeTokenReader([$reader1, $reader2]);
+
+        self::assertSame($token1, $composite->read('abc'));
+    }
+
+    public function testCompositeReaderReturnsNextTokenOnError()
+    {
+        $reader1 = $this->createMock(UserTokenReaderInterface::class);
+        $reader1->method('read')
+            ->with('abc')
+            ->willThrowException(new UserTokenException('Fail'));
+
+        $token2 = $this->createMock(UserToken::class);
+        $reader2 = $this->createMock(UserTokenReaderInterface::class);
+        $reader2->method('read')
+            ->with('abc')
+            ->willReturn($token2);
+
+        $composite = new CompositeTokenReader([$reader1, $reader1, $reader2]);
+
+        self::assertSame($token2, $composite->read('abc'));
+    }
+
+    public function testCompositeReaderFailsWhenNoTokensFound()
+    {
+        $this->expectExceptionMessage('Composite reader could not read a token');
+        $this->expectException(UserTokenException::class);
+
+        $reader1 = $this->createMock(UserTokenReaderInterface::class);
+        $reader1->method('read')
+            ->with('abc')
+            ->willThrowException(new UserTokenException('Fail'));
+
+        $composite = new CompositeTokenReader([$reader1, $reader1, $reader1]);
+        $composite->read('abc');
+    }
+}

app/code/Magento/Integration/Test/Unit/Model/UserToken/ExpirationValidatorTest.php

@@ -8,6 +8,7 @@
 
 namespace Magento\Integration\Test\Unit\Model\UserToken;
 
+use Magento\Authorization\Model\UserContextInterface;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Integration\Api\Data\UserToken;
 use Magento\Integration\Api\Data\UserTokenDataInterface;
@@ -62,10 +63,22 @@ public function getUserTokens(): array
             ->willReturn(\DateTimeImmutable::createFromFormat('Y-m-d H:i:s', '2021-04-07 16:00:00'));
         $futureToken->method('getData')->willReturn($futureData);
 
+        $integrationToken = $this->createMock(UserToken::class);
+        $userContext = $this->createMock(UserContextInterface::class);
+        $userContext->method('getUserType')
+            ->willReturn(UserContextInterface::USER_TYPE_INTEGRATION);
+        $integrationData = $this->createMock(UserTokenDataInterface::class);
+        $integrationData->method('getExpires')
+            ->willReturn(\DateTimeImmutable::createFromFormat('Y-m-d H:i:s', '2021-04-07 12:00:00'));
+        $integrationToken->method('getData')->willReturn($pastData);
+        $integrationToken->method('getUserContext')
+            ->willReturn($userContext);
+
         return [
             'past' => [$pastToken, false, $currentTs],
             'exact' => [$exactToken, false, $currentTs],
-            'future' => [$futureToken, true, $currentTs]
+            'future' => [$futureToken, true, $currentTs],
+            'integration' => [$integrationToken, true, $currentTs],
         ];
     }
 

app/code/Magento/Integration/etc/di.xml

@@ -45,6 +45,13 @@
     <preference for="Magento\Integration\Api\Data\UserTokenParametersInterface" type="Magento\Integration\Model\UserToken\UserTokenParameters" />
     <preference for="Magento\Integration\Api\UserTokenValidatorInterface" type="Magento\Integration\Model\CompositeUserTokenValidator" />
     <preference for="Magento\Integration\Api\UserTokenIssuerInterface" type="Magento\Integration\Model\OpaqueToken\Issuer" />
-    <preference for="Magento\Integration\Api\UserTokenReaderInterface" type="Magento\Integration\Model\OpaqueToken\Reader" />
+    <preference for="Magento\Integration\Api\UserTokenReaderInterface" type="Magento\Integration\Model\CompositeTokenReader" />
     <preference for="Magento\Integration\Api\UserTokenRevokerInterface" type="Magento\Integration\Model\OpaqueToken\Revoker" />
+    <type name="Magento\Integration\Model\CompositeTokenReader">
+        <arguments>
+            <argument name="readers" xsi:type="array">
+                <item name="5" xsi:type="object">Magento\Integration\Model\OpaqueToken\Reader</item>
+            </argument>
+        </arguments>
+    </type>
 </config>

app/code/Magento/JwtUserToken/etc/di.xml

@@ -7,7 +7,7 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <preference for="Magento\Integration\Api\UserTokenIssuerInterface" type="Magento\JwtUserToken\Model\Issuer" />
-    <preference for="Magento\Integration\Api\UserTokenReaderInterface" type="Magento\JwtUserToken\Model\Reader" />
+    <preference for="Magento\Integration\Api\UserTokenReaderInterface" type="Magento\Integration\Model\CompositeTokenReader" />
     <preference for="Magento\Integration\Api\UserTokenRevokerInterface" type="Magento\JwtUserToken\Model\Revoker" />
     <preference for="Magento\JwtUserToken\Model\JwtSettingsProviderInterface" type="Magento\JwtUserToken\Model\ConfigurableJwtSettingsProvider" />
     <preference for="Magento\JwtUserToken\Api\ConfigReaderInterface" type="Magento\JwtUserToken\Model\Config\ConfigReader" />
@@ -24,4 +24,11 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Integration\Model\CompositeTokenReader">
+        <arguments>
+            <argument name="readers" xsi:type="array">
+                <item name="10" xsi:type="object">Magento\JwtUserToken\Model\Reader</item>
+            </argument>
+        </arguments>
+    </type>
 </config>