Merge pull request #1 from aligent/feature/pci_4_compatibility

Feature/pci 4 compatibility

Author: aligent-lturner

.github/workflows/integration-tests.yml

@@ -0,0 +1,138 @@
+name: Integration Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  integration-test:
+    runs-on: "ubuntu-latest"
+
+    # Only run integration tests on feature branches. Simple documentation updates, formatting can be ignored
+    if: contains(github.head_ref, 'feature')
+    name: ${{ matrix.job_title }}
+    strategy:
+      fail-fast: true
+      matrix:
+        magento:
+          [
+            "magento/project-community-edition:>=2.4.6 <2.4.7",
+            "magento/project-community-edition:>=2.4.7 <2.4.8",
+          ]
+        include:
+          - magento: magento/project-community-edition:>=2.4.6 <2.4.7
+            php: 8.2
+            composer: 2.2
+            mysql: "mysql:8.0"
+            elasticsearch: "elasticsearch:7.17.9"
+            rabbitmq: "rabbitmq:3.12-management"
+            redis: "redis:7.0"
+            job_title: "2.4.6"
+
+          - magento: magento/project-community-edition:>=2.4.7 <2.4.8
+            php: 8.3
+            composer: 2.7
+            mysql: "mariadb:10.6"
+            elasticsearch: "elasticsearch:7.17.9"
+            rabbitmq: "rabbitmq:3.12-management"
+            redis: "redis:7.2"
+            job_title: "2.4.7"
+
+    services:
+      elasticsearch:
+        image: ${{ matrix.elasticsearch }}
+        env:
+          discovery.type: single-node
+        options: >-
+          --health-cmd "curl http://localhost:9200/_cluster/health"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 10
+        ports:
+          - 9200:9200
+
+      mysql:
+        image: ${{ matrix.mysql }}
+        env:
+          MYSQL_DATABASE: magento_integration_tests
+          MYSQL_USER: user
+          MYSQL_PASSWORD: password
+          MYSQL_ROOT_PASSWORD: rootpassword
+        ports:
+          - 3306:3306
+        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
+
+      rabbitmq:
+        image: ${{ matrix.rabbitmq }}
+        env:
+          RABBITMQ_DEFAULT_USER: guest
+          RABBITMQ_DEFAULT_PASS: guest
+        ports:
+          - 5672:5672
+          - 15672:15672
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set PHP Version
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          tools: composer:2
+          coverage: none
+
+      - run: composer create-project --repository-url="https://mirror.mage-os.org/" "${{ matrix.magento }}" ../magento2 --no-install
+        shell: bash
+        env:
+          COMPOSER_AUTH: ""
+        name: Create Magento ${{ matrix.magento }} Project
+
+      - uses: graycoreio/github-actions-magento2/get-magento-version@main
+        id: magento-version
+        with:
+          working-directory: "../magento2"
+
+      - name: Get Composer Cache Directory
+        shell: bash
+        working-directory: "../magento2"
+        id: composer-cache
+        run: |
+          echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: "Cache Composer Packages"
+        uses: actions/cache@v4
+        with:
+          key: "composer | v5 | '' | ${{ hashFiles('composer.lock') }}"
+          path: ${{ steps.composer-cache.outputs.dir }}
+
+      - run: composer config repositories.local path $GITHUB_WORKSPACE
+        name: Add Github Repo for Testing
+        working-directory: "../magento2"
+        shell: bash
+
+      - run: |
+          composer config --no-interaction allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
+          composer config --no-interaction allow-plugins.laminas/laminas-dependency-plugin true
+          composer config --no-interaction allow-plugins.magento/* true
+        name: Fixup Composer Plugins
+        working-directory: "../magento2"
+
+      - run: composer require aligent/magento2-pci-4-compatibility "@dev" --no-update && composer install
+        name: Require and attempt install
+        working-directory: "../magento2"
+        shell: bash
+        env:
+          COMPOSER_CACHE_DIR: ${{ steps.composer-cache.outputs.dir }}
+          COMPOSER_AUTH: ${{ secrets.composer_auth }}
+
+      - name: Replace Configuration Settings for env
+        working-directory: ../magento2/dev/tests/integration
+        run: |
+          sed -i "s/'db-host' => 'localhost'/'db-host' => '127.0.0.1'/" etc/install-config-mysql.php.dist
+          sed -i "s/'db-user' => 'root'/'db-user' => 'user'/" etc/install-config-mysql.php.dist
+          sed -i "s/'db-password' => '123123q'/'db-password' => 'password'/" etc/install-config-mysql.php.dist
+          sed -i "s/'elasticsearch-host' => 'localhost'/'elasticsearch-host' => '127.0.0.1'/" etc/install-config-mysql.php.dist
+          sed -i "s/'amqp-host' => 'localhost'/'amqp-host' => '127.0.0.1'/" etc/install-config-mysql.php.dist
+
+      - run: ../../../vendor/bin/phpunit ../../../vendor/aligent/magento2-pci-4-compatibility/Test/Integration
+        working-directory: ../magento2/dev/tests/integration
+        name: Run Integration Tests

Console/DisableInactiveAccounts.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+namespace Aligent\Pci4Compatibility\Console;
+
+use Aligent\Pci4Compatibility\Model\DisableInactiveAdminAccounts;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class DisableInactiveAccounts extends Command
+{
+
+    /**
+     * @param DisableInactiveAdminAccounts $disableInactiveAdminAccounts
+     * @param string|null $name
+     */
+    public function __construct(
+        private readonly DisableInactiveAdminAccounts $disableInactiveAdminAccounts,
+        ?string $name = null
+    ) {
+        parent::__construct($name);
+    }
+
+    protected function configure(): void
+    {
+        $this->setName('aligent:pci4:disable-inactive-accounts');
+        $this->setDescription('Disable admin accounts with 90 days of inactivity');
+        parent::configure();
+    }
+
+    /**
+     * Disable admin accounts with 90 days of inactivity
+     *
+     * Used to be able to satisfy PCI DSS 4.0.1 requirement 8.2.6
+     *
+     * @param InputInterface $input
+     * @param OutputInterface $output
+     * @return void
+     */
+    protected function execute(InputInterface $input, OutputInterface $output): void
+    {
+        $output->writeln(__("Disabling any admin accounts with 90 days of inactivity"));
+        $this->disableInactiveAdminAccounts->execute();
+        $output->writeln(__("Disabling of accounts complete"));
+    }
+}

Cron/DisableInactiveAccounts.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+namespace Aligent\Pci4Compatibility\Cron;
+
+use Aligent\Pci4Compatibility\Model\DisableInactiveAdminAccounts;
+
+class DisableInactiveAccounts
+{
+
+    /**
+     * @param DisableInactiveAdminAccounts $inactiveUsers
+     */
+    public function __construct(
+        private readonly DisableInactiveAdminAccounts $inactiveUsers,
+    ) {
+    }
+
+    /**
+     * Cron job that simply runs service to disable inactive admin accounts.
+     *
+     * This is to satisfy PCI DSS 4.0.1 requirement 8.2.6
+     *
+     * @return void
+     */
+    public function execute(): void
+    {
+        $this->inactiveUsers->execute();
+    }
+}

Model/DisableInactiveAdminAccounts.php

@@ -0,0 +1,90 @@
+<?php
+
+declare(strict_types=1);
+namespace Aligent\Pci4Compatibility\Model;
+
+use DateInterval;
+use Magento\Framework\Stdlib\DateTime\TimezoneInterface;
+use Magento\User\Model\ResourceModel\User as UserResource;
+use Magento\User\Model\ResourceModel\User\CollectionFactory as UserCollectionFactory;
+use Magento\User\Model\User;
+use Psr\Log\LoggerInterface;
+
+class DisableInactiveAdminAccounts
+{
+    private const INACTIVE_DAYS = 90;
+
+    /**
+     * @param TimezoneInterface $localeDate
+     * @param UserCollectionFactory $userCollectionFactory
+     * @param UserResource $userResource
+     * @param LoggerInterface $logger
+     */
+    public function __construct(
+        private readonly TimezoneInterface $localeDate,
+        private readonly UserCollectionFactory $userCollectionFactory,
+        private readonly UserResource $userResource,
+        private readonly LoggerInterface $logger
+    ) {
+    }
+
+    /**
+     * Sets the account of any admin user with no login in the last 90 days to inactive.
+     *
+     * This is used to be able to satisfy PCI DSS 4.0.1 requirement 8.2.6
+     *
+     * @return void
+     */
+    public function execute(): void
+    {
+        try {
+            $currentDate = $this->localeDate->date();
+            $currentDateUtc = $currentDate->setTimezone(new \DateTimeZone('UTC'));
+            $utcDateTime = $currentDateUtc->sub(new DateInterval('P' . self::INACTIVE_DAYS . 'D'));
+            $utcDateTime = $utcDateTime->format('Y-m-d H:i:s');
+        } catch (\Exception $e) {
+            $this->logger->critical(
+                __METHOD__ . ': Could not get cutoff date for inactivity: ' . $e->getMessage(),
+                ['exception' => $e]
+            );
+            return;
+        }
+
+        // find users that have been inactive for 90 days
+        $userCollection = $this->userCollectionFactory->create();
+        // don't need to disable accounts that are already disabled
+        $userCollection->addFieldToFilter('is_active', '1');
+        $userCollection->addFieldToFilter('logdate', ['lt' => $utcDateTime]);
+        $users = $userCollection->getItems();
+        foreach ($users as $user) {
+            /** @var User $user */
+            $this->disableUserAccount($user);
+        }
+
+        // find user accounts older than 90 days that have never logged in
+        $userCollection = $this->userCollectionFactory->create();
+        $userCollection->addFieldToFilter('is_active', '1');
+        $userCollection->addFieldToFilter('logdate', ['null' => true]);
+        $userCollection->addFieldToFilter('created', ['lt' => $utcDateTime]);
+        $users = $userCollection->getItems();
+        foreach ($users as $user) {
+            /** @var User $user */
+            $this->disableUserAccount($user);
+        }
+    }
+
+    private function disableUserAccount(User $user): void
+    {
+        $user->setData('is_active', 0);
+        $username = $user->getData('username');
+        try {
+            $this->userResource->save($user);
+            $this->logger->info("Account for user $username has been disabled.");
+        } catch (\Exception $e) {
+            $this->logger->critical(
+                __METHOD__ . ": Could not disable account for user $username :" . $e->getMessage(),
+                ['exception' => $e]
+            );
+        }
+    }
+}

Plugin/Model/ReplacePasswordValidationRules.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+namespace Aligent\Pci4Compatibility\Plugin\Model;
+
+use Magento\Framework\Validator\DataObject;
+use Magento\Framework\Validator\NotEmpty;
+use Magento\Framework\Validator\Regex;
+use Magento\Framework\Validator\StringLength;
+use Magento\User\Model\UserValidationRules;
+
+class ReplacePasswordValidationRules
+{
+
+    private const MIN_PASSWORD_LENGTH = 12;
+
+    /**
+     * Updates the requirements for admin passwords so that the minimum length is 12 characters
+     *
+     * @param UserValidationRules $subject
+     * @param callable $proceed
+     * @param DataObject $validator
+     * @return DataObject
+     */
+    public function aroundAddPasswordRules(
+        UserValidationRules $subject,
+        callable $proceed,
+        DataObject $validator
+    ): DataObject {
+        $passwordNotEmpty = new NotEmpty();
+        $passwordNotEmpty->setMessage(__('Password is required field.'), NotEmpty::IS_EMPTY);
+        $passwordLength = new StringLength(['min' => self::MIN_PASSWORD_LENGTH, 'encoding' => 'UTF-8']);
+        $passwordLength->setMessage(
+            __('Your password must be at least %1 characters.', self::MIN_PASSWORD_LENGTH),
+            StringLength::TOO_SHORT
+        );
+        $passwordChars = new Regex('/[a-z].*\d|\d.*[a-z]/iu');
+        $passwordChars->setMessage(
+            __('Your password must include both numeric and alphabetic characters.'),
+            Regex::NOT_MATCH
+        );
+        $validator->addRule($passwordNotEmpty,'password');
+        $validator->addRule($passwordLength, 'password');
+        $validator->addRule($passwordChars,'password');
+
+        return $validator;
+    }
+}