ACP2E-2969: REST API unable to make requests with slash (/) in SKU when using Oauth1

- overridden laminas sign method

Author: aplapana

composer.json

@@ -89,8 +89,7 @@
         "tubalmartin/cssmin": "^4.1",
         "web-token/jwt-framework": "^3.1",
         "webonyx/graphql-php": "^15.0",
-        "wikimedia/less.php": "^3.2",
-        "guzzlehttp/oauth-subscriber": "^0.6"
+        "wikimedia/less.php": "^3.2"
     },
     "require-dev": {
         "allure-framework/allure-phpunit": "^2",

lib/internal/Magento/Framework/Oauth/Helper/HmacSignature.php renamed to lib/internal/Magento/Framework/Oauth/Helper/Utility.php

@@ -1,10 +1,7 @@
 <?php
 /************************************************************************
  *
- * ADOBE CONFIDENTIAL
- * ___________________
- *
- * Copyright 2023 Adobe
+ * Copyright 2024 Adobe
  * All Rights Reserved.
  *
  * NOTICE: All information contained herein is, and remains
@@ -24,37 +21,62 @@
 use Laminas\Crypt\Hmac as HMACEncryption;
 use Laminas\OAuth\Http\Utility as HTTPUtility;
 
-class HmacSignature
+class Utility extends HTTPUtility
 {
-    private const HMAC_ALGO = '256';
-
     /**
      * @param array $params
+     * @param $signatureMethod
      * @param string $consumerSecret
-     * @param string|null $tokenSecret
-     * @param string|null $method
-     * @param string|null $url
+     * @param null $tokenSecret
+     * @param null $method
+     * @param null $url
      * @return string
      */
     public function sign(
         array $params,
-        string $consumerSecret,
-        ?string $tokenSecret = null,
-        ?string $method = null,
-        ?string $url = null
+        $signatureMethod,
+        $consumerSecret,
+        $tokenSecret = null,
+        $method = null,
+        $url = null
     ): string {
         unset($params['oauth_signature']);
 
         $binaryHash = HMACEncryption::compute(
             $this->assembleKey($consumerSecret, $tokenSecret),
-            self::HMAC_ALGO,
+            $signatureMethod,
             $this->getBaseSignatureString($params, $method, $url),
             HMACEncryption::OUTPUT_BINARY
         );
 
         return base64_encode($binaryHash);
     }
 
+    /**
+     * Cast to authorization header
+     *
+     * @param array $params
+     * @param null $realm
+     * @param bool $excludeCustomParams
+     * @return string
+     */
+    public function toAuthorizationHeader(array $params, $realm = null, $excludeCustomParams = true)
+    {
+        $headerValue = [];
+        foreach ($params as $key => $value) {
+            if ($excludeCustomParams) {
+                if (! preg_match("/^oauth_/", $key)) {
+                    continue;
+                }
+            }
+            $headerValue[] = $this->urlEncode($key)
+                . '="'
+                . $this->urlEncode($value) . '"';
+        }
+
+        return implode(",", $headerValue);
+    }
+
     /**
      * Assemble key from consumer and token secrets
      *
@@ -69,7 +91,7 @@ private function assembleKey(string $consumerSecret, ?string $tokenSecret): stri
             $parts[] = $tokenSecret;
         }
         foreach ($parts as $key => $secret) {
-            $parts[$key] = HTTPUtility::urlEncode($secret);
+            $parts[$key] = self::urlEncode($secret);
         }
 
         return implode('&', $parts);
@@ -87,21 +109,20 @@ private function getBaseSignatureString(array $params, $method = null, $url = nu
     {
         $encodedParams = [];
         foreach ($params as $key => $value) {
-            $encodedParams[HTTPUtility::urlEncode($key)] =
-                HTTPUtility::urlEncode($value);
+            $encodedParams[self::urlEncode($key)] =
+                self::urlEncode($value);
         }
         $baseStrings = [];
         if (isset($method)) {
             $baseStrings[] = strtoupper($method);
         }
         if (isset($url)) {
-            // should normalise later. here is the problem
-            $baseStrings[] = HTTPUtility::urlEncode($url);
+            $baseStrings[] = self::urlEncode($url);
         }
         if (isset($encodedParams['oauth_signature'])) {
             unset($encodedParams['oauth_signature']);
         }
-        $baseStrings[] = HTTPUtility::urlEncode(
+        $baseStrings[] = self::urlEncode(
             $this->toByteValueOrderedQueryString($encodedParams)
         );
 

lib/internal/Magento/Framework/Oauth/Oauth.php

@@ -6,14 +6,10 @@
 
 namespace Magento\Framework\Oauth;
 
-use GuzzleHttp\Subscriber\Oauth\Oauth1;
-use Laminas\OAuth\Http\Utility;
-use GuzzleHttp\Psr7\Request;
-use Psr\Http\Message\RequestInterface;
+use Magento\Framework\Oauth\Helper\Utility;
 use Magento\Framework\Encryption\Helper\Security;
 use Magento\Framework\Phrase;
 use Magento\Framework\Oauth\Exception as AuthException;
-use Magento\Framework\App\RequestInterface as AppRequest;
 
 /**
  * Authorization service.
@@ -25,11 +21,6 @@ class Oauth implements OauthInterface
      */
     protected $_oauthHelper;
 
-    /**
-     * @var  Utility
-     */
-    protected $_httpUtility;
-
     /**
      * @var \Magento\Framework\Oauth\NonceGeneratorInterface
      */
@@ -41,35 +32,26 @@ class Oauth implements OauthInterface
     protected $_tokenProvider;
 
     /**
-     * @var AppRequest
-     */
-    private AppRequest $request;
-
-    /**
-     * @var Oauth1|null
+     * @var Utility
      */
-    private ?Oauth1 $oauth1Helper = null;
+    private Utility $hmacSignatureHelper;
 
     /**
      * @param Helper\Oauth $oauthHelper
      * @param NonceGeneratorInterface $nonceGenerator
      * @param TokenProviderInterface $tokenProvider
-     * @param AppRequest $request
-     * @param Utility|null $httpUtility
+     * @param Utility $utility
      */
     public function __construct(
         Helper\Oauth $oauthHelper,
         NonceGeneratorInterface $nonceGenerator,
         TokenProviderInterface $tokenProvider,
-        AppRequest $request,
-        Utility $httpUtility = null
+        Utility $utility
     ) {
         $this->_oauthHelper = $oauthHelper;
         $this->_nonceGenerator = $nonceGenerator;
         $this->_tokenProvider = $tokenProvider;
-        $this->request = $request;
-        // null default to prevent ObjectManagerFactory from injecting, see MAGETWO-30809
-        $this->_httpUtility = $httpUtility ?: new Utility();
+        $this->hmacSignatureHelper = $utility;
     }
 
     /**
@@ -172,18 +154,16 @@ public function buildAuthorizationHeader(
             'oauth_version' => '1.0',
         ];
         $headerParameters = array_merge($headerParameters, $params);
-        $headerParameters['oauth_signature'] = $this->_httpUtility->sign(
+        $headerParameters['oauth_signature'] = $this->hmacSignatureHelper->sign(
             $params,
-            $signatureMethod,
+            'SHA256',
             $headerParameters['oauth_consumer_secret'],
             $headerParameters['oauth_token_secret'],
             $httpMethod,
             $requestUrl
         );
-        $authorizationHeader = $this->_httpUtility->toAuthorizationHeader($headerParameters);
-        // toAuthorizationHeader adds an optional realm="" which is not required for now.
-        // http://tools.ietf.org/html/rfc2617#section-1.2
-        return str_replace('realm="",', '', $authorizationHeader);
+
+        return $this->hmacSignatureHelper->toAuthorizationHeader($headerParameters);
     }
 
     /**
@@ -208,35 +188,16 @@ protected function _validateSignature($params, $consumerSecret, $httpMethod, $re
             );
         }
 
-        $allowedSignParams = $params;
-        unset($allowedSignParams['oauth_signature']);
-
-        $calculatedSign = $this->_httpUtility->sign(
-            $allowedSignParams,
-            $params['oauth_signature_method'],
+        $calculatedSign = $this->hmacSignatureHelper->sign(
+            $params,
+            'SHA256',
             $consumerSecret,
             $tokenSecret,
             $httpMethod,
             $requestUrl
         );
 
-        $calculatedSign2 = $this->getOauthHelper(
-            [
-                'consumer_key'    => $params['oauth_consumer_key'],
-                'consumer_secret' => $consumerSecret,
-                'token'           => $params['oauth_token'],
-                'token_secret'    => $tokenSecret
-            ]
-        )->getSignature($this->getRequestFromArray(
-            [
-                'method' => $httpMethod,
-                'uri' => $requestUrl,
-                'headers' => $this->request->getHeaders()->toArray(),
-                'body' => $httpMethod == 'GET' ? null : json_encode($this->request->getParams()) //this does not cover all cases request type
-            ]
-        ), $params);
-
-        if (!Security::compareStrings($calculatedSign2, $params['oauth_signature'])) {
+        if (!Security::compareStrings($calculatedSign, $params['oauth_signature'])) {
             throw new AuthException(new Phrase('The signature is invalid. Verify and try again.'));
         }
     }
@@ -328,31 +289,4 @@ protected function _checkRequiredParams($protocolParams, $requiredParams)
             throw $exception;
         }
     }
-
-    /**
-     * @param array $params
-     * @return Oauth1
-     */
-    private function getOauthHelper(array $params): Oauth1
-    {
-        if (!$this->oauth1Helper) {
-            $this->oauth1Helper = new Oauth1($params);
-        }
-
-        return $this->oauth1Helper;
-    }
-
-    /**
-     * @param array $data
-     * @return RequestInterface
-     */
-    private function getRequestFromArray(array $data): RequestInterface
-    {
-        $method = $data['method'] ?? 'GET';
-        $uri = $data['uri'] ?? '';
-        $headers = $data['headers'] ?? [];
-        $body = $data['body'] ?? '';
-
-        return new Request($method, $uri, $headers, $body);
-    }
 }