Merge branch 'develop' of github.com:magento-cia/security-package into imported-magento-security-package-286

Author: nathanjosiah

README.md

@@ -2,24 +2,26 @@
 Welcome to Magento 2 installation! We're glad you chose to install Magento 2, a cutting-edge, feature-rich eCommerce solution that gets results.
 
 ## Magento System Requirements
-[Magento System Requirements](https://devdocs.magento.com/guides/v2.3/install-gde/system-requirements.html).
+*   [Magento System Requirements](https://devdocs.magento.com/guides/v2.4/install-gde/system-requirements.html)
 
 ## Install Magento
 
-*	[Installation Guide](https://devdocs.magento.com/guides/v2.3/install-gde/bk-install-guide.html).
+*	[Installation Guide](https://devdocs.magento.com/guides/v2.4/install-gde/bk-install-guide.html)
 
 <h2>Contributing to the Magento 2 Code Base</h2>
 Contributions can take the form of new components or features, changes to existing features, tests, documentation (such as developer guides, user guides, examples, or specifications), bug fixes, optimizations, or just good suggestions.
 
 To learn about how to make a contribution, click [here][1].
 
-To learn about issues, click [here][2]. To open an issue, click [here][3].
+To learn about issues, click [here][2].
+
+To open an issue, click [here][3].
 
 To suggest documentation improvements, click [here][4].
 
-[1]: <https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html>
-[2]: <https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html#report>
-[3]: <https://github.com/magento/security-package/issues>
+[1]: https://devdocs.magento.com/contributor-guide/contributing.html
+[2]: https://devdocs.magento.com/contributor-guide/contributing.html#report
+[3]: https://github.com/magento/security-package/issues
 [4]: <https://devdocs.magento.com>
 
 <h3>Community Maintainers</h3>
@@ -37,7 +39,7 @@ Magento is thankful for any contribution that can improve our code base, documen
 
 ### Labels Applied by the Magento Team
 We apply labels to public Pull Requests and Issues to help other participants retrieve additional information about current progress, component assignments, Magento release lines, and much more.
-Please review the [Code Contributions guide](https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html#labels) for detailed information on labels used in Magento 2 repositories.
+Please review the [Code Contributions guide](https://devdocs.magento.com/contributor-guide/contributing.html#labels) for detailed information on labels used in Magento 2 repositories.
 
 ## Reporting Security Issues
 
@@ -50,7 +52,7 @@ Stay up-to-date on the latest security news and patches for Magento by signing u
 Each Magento source file included in this distribution is licensed under OSL 3.0 or the Magento Enterprise Edition (MEE) license.
 
 [Open Software License (OSL 3.0)](https://opensource.org/licenses/osl-3.0.php).
-Please see [LICENSE.txt](https://github.com/magento/security-package/blob/2.3-develop/LICENSE.txt) for the full text of the OSL 3.0 license or contact [email protected] for a copy.
+Please see [LICENSE.txt](https://github.com/magento/security-package/blob/develop/LICENSE.txt) for the full text of the OSL 3.0 license or contact [email protected] for a copy.
 
 Subject to Licensee's payment of fees and compliance with the terms and conditions of the MEE License, the MEE License supersedes the OSL 3.0 license for each source file.
 Please see LICENSE_EE.txt for the full text of the MEE License or visit https://magento.com/legal/terms/enterprise.
@@ -62,6 +64,6 @@ To connect with Magento and the Community, join us on the [Magento Community Eng
 
 We have channels for each project. These channels are recommended for new members:
 
-- [general](https://magentocommeng.slack.com/messages/C4YS78WE6): Open chat for introductions and Magento 2 questions
-- [github](https://magentocommeng.slack.com/messages/C7KB93M32): Support for GitHub issues, pull requests, and processes
-- [public-backlog](https://magentocommeng.slack.com/messages/CCV3J3RV5): Discussions of the Magento 2 backlog
+- [general](https://magentocommeng.slack.com/archives/C4YS78WE6): Open chat for introductions and Magento 2 questions
+- [github](https://magentocommeng.slack.com/archives/C7KB93M32): Support for GitHub issues, pull requests, and processes
+- [public-backlog](https://magentocommeng.slack.com/archives/CCV3J3RV5): Discussions of the Magento 2 backlog

ReCaptchaAdminUi/README.md

@@ -1 +1,7 @@
-Please refer to: https://github.com/magento/security-package
+# Magento reCAPTCHA
+
+Google reCAPTCHA ensures that a human being, rather than a computer (or “bot”), is interacting with your website. Unlike the standard Magento CAPTCHA, Google reCAPTCHA provides enhanced security with a selection of different display options and methods. Additional website traffic information is available in the dashboard of your Google reCAPTCHA account.
+
+This module provides the reCAPTCHA UI files related to views in the admin panel.
+
+For more information please visit the [Magento document for reCAPTCHA](https://docs.magento.com/user-guide/stores/security-google-recaptcha.html).

ReCaptchaAdminUi/etc/di.xml

@@ -18,4 +18,11 @@
             </argument>
         </arguments>
     </virtualType>
+    <type name="Magento\ReCaptchaUi\Model\CaptchaTypeResolver">
+        <arguments>
+            <argument name="resolvers" xsi:type="array">
+                <item name="admin" xsi:type="object">Magento\ReCaptchaAdminUi\Model\CaptchaTypeResolver</item>
+            </argument>
+        </arguments>
+    </type>
 </config>

ReCaptchaCheckout/Block/LayoutProcessor/Checkout/Onepage.php

@@ -40,11 +40,7 @@ public function __construct(
     }
 
     /**
-     * {@inheritdoc}
-     *
-     * @param array $jsLayout
-     * @return array
-     * @throws InputException
+     * @inheritDoc
      */
     public function process($jsLayout)
     {
@@ -76,6 +72,20 @@ public function process($jsLayout)
                 unset($jsLayout['components']['checkout']['children']['authentication']['children']['recaptcha']);
             }
         }
+        $key = 'place_order';
+        if ($this->isCaptchaEnabled->isCaptchaEnabledFor($key)) {
+            $jsLayout['components']['checkout']['children']['steps']['children']['billing-step']['children']
+            ['payment']['children']['beforeMethods']['children']['place-order-recaptcha-container']['children']
+            ['place-order-recaptcha']['settings'] = $this->captchaUiConfigResolver->get($key);
+        } else {
+            if (isset($jsLayout['components']['checkout']['children']['steps']['children']['billing-step']['children']
+                ['payment']['children']['beforeMethods']['children']['place-order-recaptcha'])) {
+                unset($jsLayout['components']['checkout']['children']['steps']['children']['billing-step']['children']
+                    ['payment']['children']['beforeMethods']['children']['place-order-recaptcha-container']
+                    ['children']['place-order-recaptcha']);
+            }
+        }
+
         return $jsLayout;
     }
 }

ReCaptchaCheckout/Model/WebapiConfigProvider.php

@@ -0,0 +1,61 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\ReCaptchaCheckout\Model;
+
+use Magento\ReCaptchaUi\Model\IsCaptchaEnabledInterface;
+use Magento\ReCaptchaUi\Model\ValidationConfigResolverInterface;
+use Magento\ReCaptchaValidationApi\Api\Data\ValidationConfigInterface;
+use Magento\ReCaptchaWebapiApi\Api\Data\EndpointInterface;
+use Magento\ReCaptchaWebapiApi\Api\WebapiValidationConfigProviderInterface;
+
+/**
+ * Provide checkout related endpoint configuration.
+ */
+class WebapiConfigProvider implements WebapiValidationConfigProviderInterface
+{
+    private const CAPTCHA_ID = 'place_order';
+
+    /**
+     * @var IsCaptchaEnabledInterface
+     */
+    private $isEnabled;
+
+    /**
+     * @var ValidationConfigResolverInterface
+     */
+    private $configResolver;
+
+    /**
+     * @param IsCaptchaEnabledInterface $isEnabled
+     * @param ValidationConfigResolverInterface $configResolver
+     */
+    public function __construct(IsCaptchaEnabledInterface $isEnabled, ValidationConfigResolverInterface $configResolver)
+    {
+        $this->isEnabled = $isEnabled;
+        $this->configResolver = $configResolver;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getConfigFor(EndpointInterface $endpoint): ?ValidationConfigInterface
+    {
+        //phpcs:disable Magento2.PHP.LiteralNamespaces
+        if ($endpoint->getServiceMethod() === 'savePaymentInformationAndPlaceOrder'
+            || $endpoint->getServiceClass() === 'Magento\QuoteGraphQl\Model\Resolver\SetPaymentAndPlaceOrder'
+            || $endpoint->getServiceClass() === 'Magento\QuoteGraphQl\Model\Resolver\PlaceOrder'
+        ) {
+            if ($this->isEnabled->isCaptchaEnabledFor(self::CAPTCHA_ID)) {
+                return $this->configResolver->get(self::CAPTCHA_ID);
+            }
+        }
+        //phpcs:enable Magento2.PHP.LiteralNamespaces
+
+        return null;
+    }
+}

ReCaptchaCheckout/README.md

@@ -1 +1,7 @@
-Please refer to: https://github.com/magento/security-package
+# Magento reCAPTCHA
+
+Google reCAPTCHA ensures that a human being, rather than a computer (or “bot”), is interacting with your website. Unlike the standard Magento CAPTCHA, Google reCAPTCHA provides enhanced security with a selection of different display options and methods. Additional website traffic information is available in the dashboard of your Google reCAPTCHA account.
+
+This module provides the reCAPTCHA implementations related to checkout.
+
+For more information please visit the [Magento document for reCAPTCHA](https://docs.magento.com/user-guide/stores/security-google-recaptcha.html).

ReCaptchaCheckout/Test/Api/GuestPaymentInformationManagementTest.php

@@ -0,0 +1,89 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\ReCaptchaCheckout\Test\Api;
+
+use Magento\Framework\Webapi\Rest\Request;
+use Magento\Quote\Model\Quote;
+use Magento\Quote\Model\QuoteFactory;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\TestCase\WebapiAbstract;
+
+/**
+ * Test that checkout APIs are covered with ReCaptcha
+ */
+class GuestPaymentInformationManagementTest extends WebapiAbstract
+{
+    private const API_ROUTE = '/V1/guest-carts/%s/payment-information';
+
+    /**
+     * @var QuoteFactory
+     */
+    private $quoteFactory;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->_markTestAsRestOnly();
+        $objectManager = Bootstrap::getObjectManager();
+        $this->quoteFactory = $objectManager->get(QuoteFactory::class);
+    }
+
+    /**
+     * @magentoApiDataFixture Magento/Checkout/_files/quote_with_check_payment.php
+     * @magentoConfigFixture default_store customer/captcha/enable 0
+     * @magentoConfigFixture base_website recaptcha_frontend/type_invisible/public_key test_public_key
+     * @magentoConfigFixture base_website recaptcha_frontend/type_invisible/private_key test_private_key
+     * @magentoConfigFixture base_website recaptcha_frontend/type_for/place_order invisible
+     */
+    public function testRequired(): void
+    {
+        $this->expectException(\Throwable::class);
+        $this->expectExceptionCode(400);
+        $this->expectExceptionMessage('{"message":"ReCaptcha validation failed, please try again"}');
+
+        /** @var Quote $quote */
+        $quote = $this->quoteFactory->create();
+        $quote->load('test_order_1', 'reserved_order_id');
+        $cartId = $quote->getId();
+        $payment = $quote->getPayment();
+        $address = $quote->getBillingAddress();
+        $addressData = [];
+        $addressProperties = [
+            'city', 'company', 'countryId', 'firstname', 'lastname', 'postcode',
+            'region', 'regionCode', 'regionId', 'saveInAddressBook', 'street', 'telephone', 'email'
+        ];
+        foreach ($addressProperties as $property) {
+            $method = 'get' . $property;
+            $addressData[$property] = $address->$method();
+        }
+
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => sprintf(self::API_ROUTE, $cartId),
+                'httpMethod' => Request::HTTP_METHOD_POST,
+                'token' => null
+            ],
+        ];
+        $requestData = [
+            'cart_id' => $cartId,
+            'billingAddress' => $addressData,
+            'email' => $quote->getCustomerEmail(),
+            'paymentMethod' => [
+                'additional_data' => $payment->getAdditionalData(),
+                'method' => $payment->getMethod(),
+                'po_number' => $payment->getPoNumber()
+            ]
+        ];
+
+        $this->_webApiCall($serviceInfo, $requestData);
+    }
+}

ReCaptchaCheckout/Test/Api/PaymentInformationManagementTest.php

@@ -0,0 +1,97 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\ReCaptchaCheckout\Test\Api;
+
+use Magento\Framework\Webapi\Rest\Request;
+use Magento\Integration\Api\CustomerTokenServiceInterface;
+use Magento\Quote\Model\Quote;
+use Magento\Quote\Model\QuoteFactory;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\TestCase\WebapiAbstract;
+
+/**
+ * Test that checkout APIs are covered with ReCaptcha
+ */
+class PaymentInformationManagementTest extends WebapiAbstract
+{
+    private const API_ROUTE = '/V1/carts/mine/payment-information';
+
+    /**
+     * @var QuoteFactory
+     */
+    private $quoteFactory;
+
+    /**
+     * @var CustomerTokenServiceInterface
+     */
+    private $tokenService;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->_markTestAsRestOnly();
+        $objectManager = Bootstrap::getObjectManager();
+        $this->quoteFactory = $objectManager->get(QuoteFactory::class);
+        $this->tokenService = $objectManager->get(CustomerTokenServiceInterface::class);
+    }
+
+    /**
+     * @magentoApiDataFixture Magento/Checkout/_files/customer_quote_ready_for_order.php
+     * @magentoConfigFixture default_store customer/captcha/enable 0
+     * @magentoConfigFixture base_website recaptcha_frontend/type_invisible/public_key test_public_key
+     * @magentoConfigFixture base_website recaptcha_frontend/type_invisible/private_key test_private_key
+     * @magentoConfigFixture base_website recaptcha_frontend/type_for/place_order invisible
+     */
+    public function testRequired(): void
+    {
+        $this->expectException(\Throwable::class);
+        $this->expectExceptionCode(400);
+        $this->expectExceptionMessage('{"message":"ReCaptcha validation failed, please try again"}');
+
+        /** @var Quote $quote */
+        $quote = $this->quoteFactory->create();
+        $quote->load('55555555', 'reserved_order_id');
+        $cartId = $quote->getId();
+        $payment = $quote->getPayment();
+        $address = $quote->getBillingAddress();
+        $addressData = [];
+        $addressProperties = [
+            'city', 'company', 'countryId', 'firstname', 'lastname', 'postcode',
+            'region', 'regionCode', 'regionId', 'saveInAddressBook', 'street', 'telephone', 'email'
+        ];
+        foreach ($addressProperties as $property) {
+            $method = 'get' . $property;
+            $addressData[$property] = $address->$method();
+        }
+        $token = $this->tokenService->createCustomerAccessToken('[email protected]', 'password');
+
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => self::API_ROUTE,
+                'httpMethod' => Request::HTTP_METHOD_POST,
+                'token' => $token
+            ],
+        ];
+        $requestData = [
+            'cart_id' => $cartId,
+            'billingAddress' => $addressData,
+            'email' => $quote->getCustomerEmail(),
+            'paymentMethod' => [
+                'additional_data' => $payment->getAdditionalData(),
+                'method' => $payment->getMethod(),
+                'po_number' => $payment->getPoNumber()
+            ]
+        ];
+
+        $this->_webApiCall($serviceInfo, $requestData);
+    }
+}

ReCaptchaCheckout/composer.json

@@ -5,7 +5,12 @@
         "php": "~7.3.0||~7.4.0",
         "magento/framework": "*",
         "magento/module-checkout": "*",
-        "magento/module-re-captcha-ui": "*"
+        "magento/module-re-captcha-ui": "*",
+        "magento/module-re-captcha-validation-api": "*",
+        "magento/module-re-captcha-admin-ui": "*",
+        "magento/module-re-captcha-frontend-ui": "*",
+        "magento/module-re-captcha-webapi-api": "*",
+        "magento/module-re-captcha-webapi-ui": "*"
     },
     "type": "magento2-module",
     "license": "OSL-3.0",