fixes from code review (#22833: Short-term admin accounts)

Author: lfolco

app/code/Magento/Security/Model/Plugin/AuthSession.php

@@ -72,7 +72,7 @@ public function __construct(
     public function aroundProlong(Session $session, \Closure $proceed)
     {
         if (!$this->sessionsManager->getCurrentSession()->isLoggedInStatus() ||
-            $this->userExpirationManager->userIsExpired($session->getUser())) {
+            $this->userExpirationManager->isUserExpired($session->getUser()->getId())) {
             $session->destroy();
             $this->addUserLogoutNotification();
             return null;

app/code/Magento/Security/Model/ResourceModel/UserExpiration.php

@@ -35,7 +35,7 @@ class UserExpiration extends \Magento\Framework\Model\ResourceModel\Db\AbstractD
     public function __construct(
         \Magento\Framework\Model\ResourceModel\Db\Context $context,
         \Magento\Framework\Stdlib\DateTime\TimezoneInterface $timezone,
-        $connectionName = null
+        ?string $connectionName = null
     ) {
         parent::__construct($context, $connectionName);
         $this->timezone = $timezone;

app/code/Magento/Security/Model/ResourceModel/UserExpiration/Collection.php

@@ -33,21 +33,18 @@ protected function _construct()
     /**
      * Filter for expired, active users.
      *
-     * @param string $now
      * @return $this
      */
-    public function addActiveExpiredUsersFilter($now = null): Collection
+    public function addActiveExpiredUsersFilter(): Collection
     {
-        if ($now === null) {
-            $now = new \DateTime();
-            $now->format('Y-m-d H:i:s');
-        }
+        $currentTime = new \DateTime();
+        $currentTime->format('Y-m-d H:i:s');
         $this->getSelect()->joinLeft(
             ['user' => $this->getTable('admin_user')],
             'main_table.user_id = user.user_id',
             ['is_active']
         );
-        $this->addFieldToFilter('expires_at', ['lt' => $now])
+        $this->addFieldToFilter('expires_at', ['lt' => $currentTime])
             ->addFieldToFilter('user.is_active', 1);
 
         return $this;
@@ -59,7 +56,7 @@ public function addActiveExpiredUsersFilter($now = null): Collection
      * @param int[] $userIds
      * @return Collection
      */
-    public function addUserIdsFilter($userIds = []): Collection
+    public function addUserIdsFilter(array $userIds = []): Collection
     {
         return $this->addFieldToFilter('main_table.user_id', ['in' => $userIds]);
     }

app/code/Magento/Security/Model/UserExpiration.php

@@ -9,6 +9,8 @@
 
 /**
  * Admin User Expiration model.
+ * @method string getUserId()
+ * @method \Magento\Security\Model\UserExpiration setUserId($userId)
  * @method string getExpiresAt()
  * @method \Magento\Security\Model\UserExpiration setExpiresAt($value)
  */

app/code/Magento/Security/Model/UserExpirationManager.php

@@ -10,7 +10,9 @@
 use Magento\Security\Model\ResourceModel\UserExpiration\Collection as ExpiredUsersCollection;
 
 /**
- * Class to handle admin user expirations.
+ * Class to handle admin user expirations. Temporary admin users can be created with an expiration
+ * date that, once past, will not allow them to login to the admin. A cron is run to periodically check for expired
+ * users and, if found, will deactivate them.
  * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  */
 class UserExpirationManager
@@ -98,26 +100,26 @@ public function deactivateExpiredUsers(?array $userIds = null): void
 
         // delete expired records
         $expiredRecordIds = $expiredRecords->getAllIds();
-        $expiredRecords->walk('delete');
 
         // set user is_active to 0
         $users = $this->userCollectionFactory->create()
             ->addFieldToFilter('main_table.user_id', ['in' => $expiredRecordIds]);
         $users->setDataToAll('is_active', 0)->save();
+        $expiredRecords->walk('delete');
     }
 
     /**
      * Check if the given user is expired.
      *
-     * @param \Magento\User\Model\User $user
+     * @param string $userId
      * @return bool
      */
-    public function userIsExpired(\Magento\User\Model\User $user): bool
+    public function isUserExpired(string $userId): bool
     {
         $isExpired = false;
         /** @var \Magento\Security\Model\UserExpiration $expiredRecord */
         $expiredRecord = $this->userExpirationCollectionFactory->create()
-            ->addExpiredRecordsForUserFilter($user->getId())
+            ->addExpiredRecordsForUserFilter($userId)
             ->getFirstItem();
         if ($expiredRecord && $expiredRecord->getId()) {
             $expiresAt = $this->dateTime->timestamp($expiredRecord->getExpiresAt());

app/code/Magento/Security/Observer/AdminUserAuthenticateBefore.php

@@ -25,22 +25,22 @@ class AdminUserAuthenticateBefore implements ObserverInterface
     private $userExpirationManager;
 
     /**
-     * @var \Magento\User\Model\User
+     * @var \Magento\User\Model\UserFactory
      */
-    private $user;
+    private $userFactory;
 
     /**
      * AdminUserAuthenticateBefore constructor.
      *
      * @param UserExpirationManager $userExpirationManager
-     * @param \Magento\User\Model\User $user
+     * @param \Magento\User\Model\UserFactory $userFactory
      */
     public function __construct(
         \Magento\Security\Model\UserExpirationManager $userExpirationManager,
-        \Magento\User\Model\User $user
+        \Magento\User\Model\UserFactory $userFactory
     ) {
         $this->userExpirationManager = $userExpirationManager;
-        $this->user = $user;
+        $this->userFactory = $userFactory;
     }
 
     /**
@@ -53,10 +53,11 @@ public function __construct(
     public function execute(Observer $observer)
     {
         $username = $observer->getEvent()->getUsername();
+        $user = $this->userFactory->create();
         /** @var \Magento\User\Model\User $user */
-        $user = $this->user->loadByUsername($username);
+        $user->loadByUsername($username);
 
-        if ($user->getId() && $this->userExpirationManager->userIsExpired($user)) {
+        if ($user->getId() && $this->userExpirationManager->isUserExpired($user->getId())) {
             $this->userExpirationManager->deactivateExpiredUsers([$user->getId()]);
             throw new AuthenticationException(
                 __(

app/code/Magento/Security/Test/Unit/Model/Plugin/AuthSessionTest.php

@@ -79,7 +79,7 @@ public function setUp()
 
         $this->userExpirationManagerMock = $this->createPartialMock(
             \Magento\Security\Model\UserExpirationManager::class,
-            ['userIsExpired']
+            ['isUserExpired']
         );
 
         $this->userMock = $this->createMock(\Magento\User\Model\User::class);
@@ -183,6 +183,7 @@ public function testAroundProlongSessionIsActiveUserIsExpired()
             return $result;
         };
 
+        $adminUserId = '12345';
         $this->currentSessionMock->expects($this->once())
             ->method('isLoggedInStatus')
             ->willReturn(true);
@@ -191,9 +192,13 @@ public function testAroundProlongSessionIsActiveUserIsExpired()
             ->method('getUser')
             ->willReturn($this->userMock);
 
+        $this->userMock->expects($this->once())
+            ->method('getId')
+            ->willReturn($adminUserId);
+
         $this->userExpirationManagerMock->expects($this->once())
-            ->method('userIsExpired')
-            ->with($this->userMock)
+            ->method('isUserExpired')
+            ->with($adminUserId)
             ->willReturn(true);
 
         $this->authSessionMock->expects($this->once())
@@ -225,6 +230,7 @@ public function testAroundProlongSessionIsActive()
             return $result;
         };
 
+        $adminUserId = '12345';
         $this->currentSessionMock->expects($this->any())
             ->method('isLoggedInStatus')
             ->willReturn(true);
@@ -233,9 +239,13 @@ public function testAroundProlongSessionIsActive()
             ->method('getUser')
             ->willReturn($this->userMock);
 
+        $this->userMock->expects($this->once())
+            ->method('getId')
+            ->willReturn($adminUserId);
+
         $this->userExpirationManagerMock->expects($this->once())
-            ->method('userIsExpired')
-            ->with($this->userMock)
+            ->method('isUserExpired')
+            ->with($adminUserId)
             ->willReturn(false);
 
         $this->adminSessionsManagerMock->expects($this->any())

app/code/Magento/Security/Test/Unit/Observer/BeforeAdminUserAuthenticateTest.php renamed to app/code/Magento/Security/Test/Unit/Observer/AdminUserAuthenticateBeforeTest.php

@@ -12,7 +12,7 @@
  *
  * @package Magento\Security\Test\Unit\Observer
  */
-class BeforeAdminUserAuthenticateTest extends \PHPUnit\Framework\TestCase
+class AdminUserAuthenticateBeforeTest extends \PHPUnit\Framework\TestCase
 {
     /**
      * @var \Magento\Framework\TestFramework\Unit\Helper\ObjectManager
@@ -29,6 +29,11 @@ class BeforeAdminUserAuthenticateTest extends \PHPUnit\Framework\TestCase
      */
     private $userMock;
 
+    /**
+     * @var \PHPUnit\Framework\MockObject\MockObject|\Magento\User\Model\UserFactory
+     */
+    private $userFactoryMock;
+
     /**
      * @var \Magento\Security\Observer\AdminUserAuthenticateBefore
      */
@@ -60,14 +65,15 @@ protected function setUp()
 
         $this->userExpirationManagerMock = $this->createPartialMock(
             \Magento\Security\Model\UserExpirationManager::class,
-            ['userIsExpired', 'deactivateExpiredUsers']
+            ['isUserExpired', 'deactivateExpiredUsers']
         );
+        $this->userFactoryMock = $this->createPartialMock(\Magento\User\Model\UserFactory::class, ['create']);
         $this->userMock = $this->createPartialMock(\Magento\User\Model\User::class, ['loadByUsername', 'getId']);
         $this->observer = $this->objectManager->getObject(
             \Magento\Security\Observer\AdminUserAuthenticateBefore::class,
             [
                 'userExpirationManager' => $this->userExpirationManagerMock,
-                'user' => $this->userMock,
+                'userFactory' => $this->userFactoryMock,
             ]
         );
         $this->eventObserverMock = $this->createPartialMock(\Magento\Framework\Event\Observer::class, ['getEvent']);
@@ -85,17 +91,18 @@ protected function setUp()
      */
     public function testWithExpiredUser()
     {
-        $adminUserId = 123;
+        $adminUserId = '123';
         $username = 'testuser';
         $this->eventObserverMock->expects(static::once())->method('getEvent')->willReturn($this->eventMock);
         $this->eventMock->expects(static::once())->method('getUsername')->willReturn($username);
-        $this->userMock->expects(static::once())->method('loadByUsername')->willReturn($this->userMock);
+        $this->userFactoryMock->expects(static::once())->method('create')->willReturn($this->userMock);
+        $this->userMock->expects(static::once())->method('loadByUsername')->willReturnSelf();
 
         $this->userExpirationManagerMock->expects(static::once())
-            ->method('userIsExpired')
-            ->with($this->userMock)
+            ->method('isUserExpired')
+            ->with($adminUserId)
             ->willReturn(true);
-        $this->userMock->expects(static::exactly(2))->method('getId')->willReturn($adminUserId);
+        $this->userMock->expects(static::exactly(3))->method('getId')->willReturn($adminUserId);
         $this->userExpirationManagerMock->expects(static::once())
             ->method('deactivateExpiredUsers')
             ->with([$adminUserId])
@@ -105,15 +112,16 @@ public function testWithExpiredUser()
 
     public function testWithNonExpiredUser()
     {
-        $adminUserId = 123;
+        $adminUserId = '123';
         $username = 'testuser';
         $this->eventObserverMock->expects(static::once())->method('getEvent')->willReturn($this->eventMock);
         $this->eventMock->expects(static::once())->method('getUsername')->willReturn($username);
-        $this->userMock->expects(static::once())->method('loadByUsername')->willReturn($this->userMock);
-        $this->userMock->expects(static::once())->method('getId')->willReturn($adminUserId);
+        $this->userFactoryMock->expects(static::once())->method('create')->willReturn($this->userMock);
+        $this->userMock->expects(static::once())->method('loadByUsername')->willReturnSelf();
+        $this->userMock->expects(static::exactly(2))->method('getId')->willReturn($adminUserId);
         $this->userExpirationManagerMock->expects(static::once())
-            ->method('userIsExpired')
-            ->with($this->userMock)
+            ->method('isUserExpired')
+            ->with($adminUserId)
             ->willReturn(false);
         $this->observer->execute($this->eventObserverMock);
     }

app/code/Magento/User/etc/db_schema_whitelist.json

@@ -42,4 +42,4 @@
             "ADMIN_PASSWORDS_USER_ID_ADMIN_USER_USER_ID": true
         }
     }
-}
+}

dev/tests/integration/testsuite/Magento/Security/Model/UserExpirationManagerTest.php

@@ -9,7 +9,7 @@
 
 /**
  * Tests for \Magento\Security\Model\UserExpirationManager
- *
+ * @magentoAppArea adminhtml
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class UserExpirationManagerTest extends \PHPUnit\Framework\TestCase
@@ -42,8 +42,6 @@ class UserExpirationManagerTest extends \PHPUnit\Framework\TestCase
     protected function setUp()
     {
         $this->objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
-        $this->objectManager->get(\Magento\Framework\Config\ScopeInterface::class)
-            ->setCurrentScope(\Magento\Backend\App\Area\FrontNameResolver::AREA_CODE);
         $this->auth = $this->objectManager->create(\Magento\Backend\Model\Auth::class);
         $this->authSession = $this->objectManager->create(\Magento\Backend\Model\Auth\Session::class);
         $this->adminSessionInfo = $this->objectManager->create(\Magento\Security\Model\AdminSessionInfo::class);
@@ -59,7 +57,7 @@ public function testUserIsExpired()
     {
         $adminUserNameFromFixture = 'adminUserExpired';
         $user = $this->loadUserByUsername($adminUserNameFromFixture);
-        static::assertTrue($this->userExpirationManager->userIsExpired($user));
+        static::assertTrue($this->userExpirationManager->isUserExpired($user->getId()));
     }
 
     /**