Merge branch 'magento-commerce:develop' into graphql-api-enhancements

Author: eliseacornejo

TwoFactorAuth/Model/Config/Backend/Leeway.php

@@ -0,0 +1,64 @@
+<?php
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\TwoFactorAuth\Model\Config\Backend;
+
+use Magento\Framework\App\Config\Value;
+use Magento\Framework\App\Config\Data\ProcessorInterface;
+use Magento\Framework\Exception\ValidatorException;
+use OTPHP\TOTPInterface;
+
+class Leeway extends Value implements ProcessorInterface
+{
+    /**
+     * Fetch Totp default period value
+     *
+     * @return int
+     */
+    private function getDefaultPeriod(): int
+    {
+        return TOTPInterface::DEFAULT_PERIOD;
+    }
+
+    /**
+     * Process the value before saving.
+     *
+     * @param mixed $value The configuration value.
+     * @return mixed The processed value.
+     * @throws ValidatorException If the value is invalid.
+     */
+    public function processValue($value)
+    {
+        if (!is_numeric($value)) {
+            throw new ValidatorException(__('The Leeway must be a numeric value.'));
+        }
+        $numericValue = (int) $value;
+        return $numericValue;
+    }
+
+    /**
+     * Validates the value before saving.
+     *
+     * @throws ValidatorException If the value is invalid.
+     */
+    public function beforeSave()
+    {
+        $value = $this->getValue();
+        $period = $this->getDefaultPeriod();
+        if (!is_numeric($value) || $value < 1 || $value >= $period) {
+            throw new ValidatorException(
+                __(
+                    'Invalid Leeway value. It must be between 1 and %1 as default period is %2',
+                    $period-1,
+                    $period
+                )
+            );
+        }
+
+        return parent::beforeSave();
+    }
+}

TwoFactorAuth/Model/Provider/Engine/DuoSecurity.php

@@ -77,13 +77,21 @@ class DuoSecurity implements EngineInterface
      */
     private $scopeConfig;
 
+    /**
+     * @var string
+     */
+    private $duoSignaturePrefix;
+
     /**
      * @param ScopeConfigInterface $scopeConfig
+     * @param string $duoSignaturePrefix
      */
     public function __construct(
-        ScopeConfigInterface $scopeConfig
+        ScopeConfigInterface $scopeConfig,
+        string $duoSignaturePrefix = self::AUTH_PREFIX
     ) {
         $this->scopeConfig = $scopeConfig;
+        $this->duoSignaturePrefix = $duoSignaturePrefix;
     }
 
     /**
@@ -208,7 +216,7 @@ public function getRequestSignature(UserInterface $user): string
         $duoSignature = $this->signValues(
             $this->getSecretKey(),
             $values,
-            static::DUO_PREFIX,
+            $this->duoSignaturePrefix,
             static::DUO_EXPIRE,
             $time
         );

TwoFactorAuth/Model/Provider/Engine/Google.php

@@ -35,7 +35,7 @@ class Google implements EngineInterface
     /**
      * Config path for the OTP window
      */
-    const XML_PATH_OTP_WINDOW = 'twofactorauth/google/otp_window';
+    public const XML_PATH_LEEWAY = 'twofactorauth/google/leeway';
 
     /**
      * Engine code
@@ -199,7 +199,7 @@ public function verify(UserInterface $user, DataObject $request): bool
         return $totp->verify(
             $token,
             null,
-            $config['window'] ?? (int)$this->scopeConfig->getValue(self::XML_PATH_OTP_WINDOW) ?: null
+            $config['window'] ?? (int)$this->scopeConfig->getValue(self::XML_PATH_LEEWAY) ?: null
         );
     }
 

TwoFactorAuth/Test/Api/GoogleActivateTest.php

@@ -129,7 +129,7 @@ public function testAlreadyActivatedProvider()
     /**
      * @magentoConfigFixture twofactorauth/general/force_providers google
      * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php
-     * @magentoConfigFixture twofactorauth/google/otp_window 20
+     * @magentoConfigFixture twofactorauth/google/leeway 29
      */
     public function testActivate()
     {

TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php

@@ -223,7 +223,7 @@ public function testNotConfiguredProvider(): void
     /**
      * @magentoConfigFixture twofactorauth/general/force_providers google
      * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php
-     * @magentoConfigFixture twofactorauth/google/otp_window 20
+     * @magentoConfigFixture twofactorauth/google/leeway 29
      *
      * @return void
      */

TwoFactorAuth/Test/Unit/Model/Provider/Engine/DuoSecurityTest.php

@@ -8,6 +8,7 @@
 
 namespace Magento\TwoFactorAuth\Test\Unit\Model\Provider\Engine;
 
+use Magento\User\Api\Data\UserInterface;
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\TwoFactorAuth\Model\Provider\Engine\DuoSecurity;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -21,20 +22,32 @@ class DuoSecurityTest extends TestCase
      */
     private $model;
 
+    /**
+     * @var DuoSecurity
+     */
+    private $modelWithForcedDuoAuth;
+
     /**
      * @var ScopeConfigInterface|MockObject
      */
     private $configMock;
 
+    /**
+     * @var UserInterface|MockObject
+     */
+    private $user;
+
     /**
      * @inheritDoc
      */
     protected function setUp(): void
     {
         $objectManager = new ObjectManager($this);
         $this->configMock = $this->getMockBuilder(ScopeConfigInterface::class)->disableOriginalConstructor()->getMock();
+        $this->user = $this->getMockBuilder(UserInterface::class)->disableOriginalConstructor()->getMock();
 
         $this->model = $objectManager->getObject(DuoSecurity::class, ['scopeConfig' => $this->configMock]);
+        $this->modelWithForcedDuoAuth = new DuoSecurity($this->configMock, $this->model::DUO_PREFIX);
     }
 
     /**
@@ -119,4 +132,26 @@ public function testIsEnabled(
 
         $this->assertEquals($expected, $this->model->isEnabled());
     }
+
+    public function testGetRequestSignature() : void
+    {
+        $this->user->expects($this->any())
+            ->method('getUserName')
+            ->willReturn('admin');
+        $this->configMock->expects($this->any())
+            ->method('getValue')
+            ->willReturn('SECRET');
+
+        $this->assertStringContainsString($this->model::AUTH_PREFIX, $this->model->getRequestSignature($this->user));
+        $this->assertStringNotContainsString($this->model::DUO_PREFIX, $this->model->getRequestSignature($this->user));
+
+        $this->assertStringContainsString(
+            $this->model::DUO_PREFIX,
+            $this->modelWithForcedDuoAuth->getRequestSignature($this->user)
+        );
+        $this->assertStringNotContainsString(
+            $this->model::AUTH_PREFIX,
+            $this->modelWithForcedDuoAuth->getRequestSignature($this->user)
+        );
+    }
 }

TwoFactorAuth/etc/adminhtml/di.xml

@@ -21,4 +21,9 @@
     <type name="Magento\Backend\Model\Auth">
         <plugin name="delete_tfat_cookie" type="Magento\TwoFactorAuth\Plugin\DeleteCookieOnLogout"/>
     </type>
+    <type name="Magento\TwoFactorAuth\Model\Provider\Engine\DuoSecurity">
+        <arguments>
+            <argument name="duoSignaturePrefix" xsi:type="const">Magento\TwoFactorAuth\Model\Provider\Engine\DuoSecurity::DUO_PREFIX</argument>
+        </arguments>
+    </type>
 </config>

TwoFactorAuth/etc/adminhtml/system.xml

@@ -39,10 +39,11 @@
             <group id="google" translate="label" type="text" sortOrder="30" showInDefault="1" showInWebsite="0"
                    showInStore="0">
                 <label>Google</label>
-                <field id="otp_window" translate="label comment" type="text" sortOrder="10" showInDefault="1"
+                <field id="leeway" translate="label comment" type="text" sortOrder="10" showInDefault="1"
                        showInWebsite="0" showInStore="0" canRestore="1">
-                    <label>OTP Window</label>
-                    <comment>This determines how long the one-time-passwords are valid for. An OTP Window of 1 will result in the current OTP value plus 1 code in the past and 1 code in the future to be valid at any given point in time.</comment>
+                    <label>Leeway</label>
+                    <comment>This sets the time drift leeway for OTPs. A leeway of 29 with a period of 30 means OTPs are valid within ±29 seconds from the current time. The leeway must be smaller than the period</comment>
+                    <backend_model>Magento\TwoFactorAuth\Model\Config\Backend\Leeway</backend_model>
                 </field>
             </group>
             <group id="duo" translate="label" type="text" sortOrder="40" showInDefault="1" showInWebsite="0"

TwoFactorAuth/etc/config.xml

@@ -21,7 +21,7 @@
                 <application_key backend_model="Magento\Config\Model\Config\Backend\Encrypted"/>
             </duo>
             <google>
-                <otp_window>1</otp_window>
+                <leeway backend_model="Magento\TwoFactorAuth\Model\Config\Backend\Leeway">29</leeway>
             </google>
         </twofactorauth>
     </default>