Merge branch '2.4-develop' into issue-24635

Author: svera

app/code/Magento/Backend/App/Action/Plugin/Authentication.php

@@ -225,8 +225,10 @@ protected function _redirectIfNeededAfterLogin(\Magento\Framework\App\RequestInt
 
         // Checks, whether secret key is required for admin access or request uri is explicitly set
         if ($this->_url->useSecretKey()) {
-            $requestParts = explode('/', trim($request->getRequestUri(), '/'), 2);
-            $requestUri = $this->_url->getUrl(array_pop($requestParts));
+            $requestParts = explode('/', trim($request->getRequestUri(), '/'), 3);
+            $baseUrlPath = trim(parse_url($this->backendUrl->getBaseUrl(), PHP_URL_PATH), '/');
+            $routeIndex = empty($baseUrlPath) ? 0 : 1;
+            $requestUri = $this->_url->getUrl($requestParts[$routeIndex]);
         } elseif ($request) {
             $requestUri = $request->getRequestUri();
         }

app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php

@@ -1,13 +1,17 @@
 <?php
 /**
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
 namespace Magento\Backend\Controller\Adminhtml\Auth;
 
+use Magento\Backend\App\Area\FrontNameResolver;
+use Magento\Backend\App\BackendAppList;
+use Magento\Backend\Model\UrlFactory;
 use Magento\Framework\App\Action\HttpGetActionInterface as HttpGet;
 use Magento\Framework\App\Action\HttpPostActionInterface as HttpPost;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\App\Request\Http;
 
 /**
  * @api
@@ -20,18 +24,50 @@ class Login extends \Magento\Backend\Controller\Adminhtml\Auth implements HttpGe
      */
     protected $resultPageFactory;
 
+    /**
+     * @var FrontNameResolver
+     */
+    private $frontNameResolver;
+
+    /**
+     * @var BackendAppList
+     */
+    private $backendAppList;
+
+    /**
+     * @var UrlFactory
+     */
+    private $backendUrlFactory;
+
+    /**
+     * @var Http
+     */
+    private $http;
+
     /**
      * Constructor
      *
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\View\Result\PageFactory $resultPageFactory
+     * @param FrontNameResolver|null $frontNameResolver
+     * @param BackendAppList|null $backendAppList
+     * @param UrlFactory|null $backendUrlFactory
+     * @param Http|null $http
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
-        \Magento\Framework\View\Result\PageFactory $resultPageFactory
+        \Magento\Framework\View\Result\PageFactory $resultPageFactory,
+        FrontNameResolver $frontNameResolver = null,
+        BackendAppList $backendAppList = null,
+        UrlFactory $backendUrlFactory = null,
+        Http $http = null
     ) {
         $this->resultPageFactory = $resultPageFactory;
         parent::__construct($context);
+        $this->frontNameResolver = $frontNameResolver ?? ObjectManager::getInstance()->get(FrontNameResolver::class);
+        $this->backendAppList = $backendAppList ?? ObjectManager::getInstance()->get(BackendAppList::class);
+        $this->backendUrlFactory = $backendUrlFactory ?? ObjectManager::getInstance()->get(UrlFactory::class);
+        $this->http = $http ?? ObjectManager::getInstance()->get(Http::class);
     }
 
     /**
@@ -49,7 +85,8 @@ public function execute()
         }
 
         $requestUrl = $this->getRequest()->getUri();
-        if (!$requestUrl->isValid()) {
+
+        if (!$requestUrl->isValid() || !$this->isValidBackendUri()) {
             return $this->getRedirect($this->getUrl('*'));
         }
 
@@ -69,4 +106,26 @@ private function getRedirect($path)
         $resultRedirect->setPath($path);
         return $resultRedirect;
     }
+
+    /**
+     * Verify if correct backend uri requested.
+     *
+     * @return bool
+     */
+    private function isValidBackendUri(): bool
+    {
+        $requestUri = $this->getRequest()->getRequestUri();
+        $backendApp = $this->backendAppList->getCurrentApp();
+        $baseUrl = parse_url($this->backendUrlFactory->create()->getBaseUrl(), PHP_URL_PATH);
+        if (!$backendApp) {
+            $backendFrontName = $this->frontNameResolver->getFrontName();
+        } else {
+            //In case of application authenticating through the admin login, the script name should be removed
+            //from the path, because application has own script.
+            $baseUrl = $this->http->getUrlNoScript($baseUrl);
+            $backendFrontName = $backendApp->getCookiePath();
+        }
+
+        return strpos($requestUri, $baseUrl . $backendFrontName) === 0;
+    }
 }

app/code/Magento/Backend/Test/Mftf/Data/AdminWebConfigData.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:noNamespaceSchemaLocation="urn:magento:mftf:DataGenerator/etc/dataProfileSchema.xsd">
+    <entity name="AdminEnableUrlRewritesConfigData">
+        <data key="path">web/seo/use_rewrites</data>
+        <data key="value">1</data>
+    </entity>
+    <entity name="AdminDisableUrlRewritesConfigData">
+        <data key="path">web/seo/use_rewrites</data>
+        <data key="value">0</data>
+    </entity>
+</entities>

app/code/Magento/Backend/Test/Mftf/Test/AdminLoginSuccessfulWithRewritesDisabledTest.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="AdminLoginSuccessfulWithRewritesDisabledTest">
+        <annotations>
+            <features value="Backend"/>
+            <stories value="Login on the Admin Login page"/>
+            <title
+                value="Admin should be able to log into the Magento Admin backend successfully if url rewrites are disabled"/>
+            <description
+                value="Admin should be able to log into the Magento Admin backend successfully if url rewrites are disabled"/>
+            <severity value="CRITICAL"/>
+            <group value="example"/>
+            <group value="login"/>
+        </annotations>
+
+        <before>
+            <magentoCLI command="config:set {{AdminDisableUrlRewritesConfigData.path}} {{AdminDisableUrlRewritesConfigData.value}}" stepKey="disableUrlRewrites"/>
+        </before>
+        <after>
+            <magentoCLI command="config:set {{AdminEnableUrlRewritesConfigData.path}} {{AdminEnableUrlRewritesConfigData.value}}" stepKey="enableUrlRewrites"/>
+        </after>
+
+        <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
+        <actionGroup ref="AssertAdminSuccessLoginActionGroup" stepKey="assertLoggedIn"/>
+        <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutFromAdmin"/>
+    </test>
+</tests>

app/code/Magento/Backend/Test/Unit/Controller/Adminhtml/Auth/LoginTest.php

@@ -0,0 +1,198 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Backend\Test\Unit\Controller\Adminhtml\Auth;
+
+use Laminas\Uri\Http;
+use Magento\Backend\App\Action\Context;
+use Magento\Backend\App\Area\FrontNameResolver;
+use Magento\Backend\App\BackendAppList;
+use Magento\Backend\Controller\Adminhtml\Auth\Login;
+use Magento\Backend\Helper\Data;
+use Magento\Backend\Model\Auth;
+use Magento\Backend\Model\Url;
+use Magento\Backend\Model\UrlFactory;
+use Magento\Backend\Model\View\Result\Redirect;
+use Magento\Framework\App\Cache\StateInterface as CacheState;
+use Magento\Framework\App\Cache\TypeListInterface as CacheTypeList;
+use Magento\Framework\App\RequestInterface as Request;
+use Magento\Framework\App\State;
+use Magento\Framework\Controller\Result\RedirectFactory;
+use Magento\Framework\Message\ManagerInterface as MessageManager;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\View\Result\PageFactory;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Test for \Magento\Backend\Controller\Adminhtml\Auth\Login.
+ */
+class LoginTest extends TestCase
+{
+    /**
+     * @var Login
+     */
+    private $controller;
+
+    /**
+     * @var Redirect|MockObject
+     */
+    private $redirectMock;
+
+    /**
+     * @var Request|MockObject
+     */
+    private $requestMock;
+
+    /**
+     * @var Auth|MockObject
+     */
+    private $authMock;
+
+    /**
+     * @var Http|MockObject
+     */
+    private $uriMock;
+
+    /**
+     * @var PageFactory|MockObject
+     */
+    private $resultPageFactoryMock;
+
+    /**
+     * @var BackendAppList|MockObject
+     */
+    private $backendAppListMock;
+
+    /**
+     * @var UrlFactory|MockObject
+     */
+    private $backendUrlFactoryMock;
+
+    /**
+     * @var Url|MockObject
+     */
+    private $backendUrlMock;
+
+    /**
+     * @var FrontNameResolver|MockObject
+     */
+    private $frontNameResolverMock;
+
+    /**
+     * @var RedirectFactory|MockObject
+     */
+    private $resultRedirectFactoryMock;
+
+    /**
+     * @var Data|MockObject
+     */
+    private $helperMock;
+
+    protected function setUp(): void
+    {
+        $objectManagerHelper = new ObjectManagerHelper($this);
+
+        $this->helperMock = $this->createMock(Data::class);
+        $this->requestMock = $this->getMockBuilder(Request::class)
+            ->setMethods(['getUri', 'getRequestUri'])
+            ->getMockForAbstractClass();
+        $this->redirectMock = $this->getMockBuilder(Redirect::class)
+            ->disableOriginalConstructor()
+            ->disableOriginalClone()
+            ->getMock();
+        $this->resultRedirectFactoryMock = $this->createMock(RedirectFactory::class);
+        $this->resultPageFactoryMock = $this->createMock(PageFactory::class);
+        $this->authMock = $this->createMock(Auth::class);
+        $this->backendAppListMock = $this->createMock(BackendAppList::class);
+        $this->backendUrlMock = $this->createMock(Url::class);
+        $this->backendUrlFactoryMock = $this->createMock(UrlFactory::class);
+        $this->frontNameResolverMock = $this->createMock(FrontNameResolver::class);
+        $this->uriMock = $this->createMock(Http::class);
+
+        $this->resultRedirectFactoryMock->expects($this->any())
+            ->method('create')
+            ->willReturn($this->redirectMock);
+        $this->backendUrlFactoryMock->expects($this->any())
+            ->method('create')
+            ->willReturn($this->backendUrlMock);
+        $this->requestMock->expects($this->any())
+            ->method('getUri')
+            ->willReturn($this->uriMock);
+
+        $contextMock = $this->getMockBuilder(Context::class)
+            ->disableOriginalConstructor()
+            ->disableOriginalClone()
+            ->getMock();
+
+        $contextMock->expects($this->once())
+            ->method('getResultFactory')
+            ->willReturn($this->resultRedirectFactoryMock);
+        $contextMock->expects($this->once())
+            ->method('getRequest')
+            ->willReturn($this->requestMock);
+        $contextMock->expects($this->once())
+            ->method('getHelper')
+            ->willReturn($this->helperMock);
+        $contextMock->expects($this->once())
+            ->method('getResultRedirectFactory')
+            ->willReturn($this->resultRedirectFactoryMock);
+        $contextMock->expects($this->once())
+            ->method('getAuth')
+            ->willReturn($this->authMock);
+
+        $this->controller = $objectManagerHelper->getObject(
+            Login::class,
+            [
+                'context' => $contextMock,
+                'resultPageFactory' => $this->resultPageFactoryMock,
+                'backendAppList' => $this->backendAppListMock,
+                'backendUrlFactory' => $this->backendUrlFactoryMock,
+                'frontNameResolver' => $this->frontNameResolverMock,
+            ]
+        );
+    }
+
+    /**
+     * Test for isValidBackendUri method.
+     *
+     * @param string $requestUri
+     * @param string $baseUrl
+     * @param string $backendFrontName
+     * @param bool $redirect
+     *
+     * @dataProvider isValidBackendUriDataProvider
+     */
+    public function testIsValidBackendUri(string $requestUri, string $baseUrl, string $backendFrontName, bool $redirect)
+    {
+        $this->uriMock->expects($this->once())->method('isValid')->willReturn(true);
+        $this->authMock->expects($this->once())->method('isLoggedIn')->willReturn(false);
+        $this->requestMock->expects($this->once())->method('getRequestUri')->willReturn($requestUri);
+        $this->backendUrlMock->expects($this->once())->method('getBaseUrl')->willReturn($baseUrl);
+        $this->frontNameResolverMock->expects($this->once())->method('getFrontName')->willReturn($backendFrontName);
+
+        $this->resultPageFactoryMock->expects($this->exactly($redirect ? 0 : 1))->method('create');
+        $this->resultRedirectFactoryMock->expects($this->exactly($redirect ? 1 : 0))->method('create');
+
+        $this->controller->execute();
+    }
+
+    /**
+     * Data provider for testIsValidBackendUri.
+     *
+     * @return array[]
+     */
+    public function isValidBackendUriDataProvider()
+    {
+        return [
+            'Rewrites on, valid url' => ['/index.php/admin', 'http://magento2.local/', 'admin', true],
+            'Rewrites on, invalid url' => ['/admin', 'http://magento2.local/', 'admin', false],
+            'Rewrites off, valid url' => ['/index.php/admin', 'http://magento2.local/index.php/', 'admin', false],
+            'Rewrites off, invalid url' => ['/admin', 'http://magento2.local/index.php/', 'admin', true],
+        ];
+    }
+}