OXAP-337 Add a secret key to the cron controller

.travis.yml

@@ -24,7 +24,7 @@ script:
   - docker-compose exec web /bin/bash -c "./scripts/build.sh 5.3"
   - docker-compose exec web /bin/bash -c "./scripts/build.sh dev-b-6.0-ce"
   - docker-compose exec web /bin/bash -c "./scripts/build.sh dev-b-6.1-ce"
-  - docker-compose exec web /bin/bash -c "./scripts/build.sh dev-b-6.2-beta-ce"
+  - docker-compose exec web /bin/bash -c "./scripts/build.sh dev-b-6.2-ce"
 before_deploy:
   - ssh-keyscan $DEPLOYMENT_SERVER >> $HOME/.ssh/known_hosts
   - (umask  077 ; echo $DEPLOYMENT_SSH_KEY | base64 --decode > /tmp/deploy_rsa)

CHANGELOG.md

@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec2.0.0.html).
+## [3.6.6] - 2020-02-02
+### Fixed
+- Adds a secret key to the controller
+See the Documenatation how to use the Secret Key in CronJobs [#Secret Key](https://amazon.bestit-support.de/de/oxap/master/einstellungen-statuswechsel#secretkey)
+
 ## [3.6.5] - 2020-02-01
 ### Fixed
 - optimization to the controllers

application/controllers/admin/bestitamazonpay4oxid_init.php

@@ -321,6 +321,21 @@ public static function onActivate()
             );
         }
 
+        //generate secret key used for the cron calls
+        $sAmazonCronSecretKey = $oConfig->getConfigParam('sAmazonCronSecretKey');
+        if (empty($sAmazonCronSecretKey)) {
+            $sAmazonCronSecretKey = self::_generatePassword();
+
+            $oConfig->setConfigParam('sAmazonCronSecretKey', $sAmazonCronSecretKey);
+            $oConfig->saveShopConfVar(
+                'str',
+                'sAmazonCronSecretKey',
+                $sAmazonCronSecretKey,
+                $oConfig->getShopId(),
+                'module:bestitamazonpay4oxid'
+            );
+        }
+
         self::clearTmp();
     }
 
@@ -338,6 +353,45 @@ public static function onDeactivate()
         self::_getDatabase()->execute($sSql);
     }
 
+    /**
+     * @see https://gist.github.com/tylerhall/521810
+     * Generates a strong password of N length containing at least one lower case letter,
+     * one uppercase letter and one digit. The remaining characters
+     * in the password are chosen at random from those four sets.
+     *
+     * The available characters in each set are user friendly - there are no ambiguous
+     * characters such as i, l, 1, o, 0, etc. This makes it much easier for users to manually
+     * type or speak their passwords.
+     *
+     * @param int $length
+     *
+     * @return string
+     */
+    protected static function _generatePassword($length = 15)
+    {
+        $sets = array();
+        $sets[] = 'abcdefghjkmnpqrstuvwxyz';
+        $sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
+        $sets[] = '23456789';
+
+        $pool = '';
+        $password = '';
+
+        foreach ($sets as $set) {
+            $password .= $set[array_rand(str_split($set))];
+            $pool .= $set;
+        }
+
+        $pool = str_split($pool);
+        for ($i = 0; $i < $length - count($sets); ++$i) {
+            $password .= $pool[array_rand($pool)];
+        }
+        $password = str_shuffle($password);
+
+        return $password;
+    }
+
+
     /**
      * Returns the current installed version.
      *

application/controllers/bestitamazoncron.php

@@ -292,8 +292,9 @@ protected function _closeOrders()
      */
     public function render()
     {
-        // Only execute the complete cronjob if the action is not amazon call
-        if ($this->_getContainer()->getConfig()->getRequestParameter('fnc') !== 'amazonCall') {
+        // Only execute the complete cronjob if the action is not amazon call and the secret key is correct
+        if ($this->_getContainer()->getConfig()->getRequestParameter('fnc') !== 'amazonCall'
+            && $this->_verifySecretKey() === true) {
             //Increase execution time for the script to run without timeouts
             set_time_limit(3600);
 
@@ -357,6 +358,46 @@ protected function _getOperationName()
         return false;
     }
 
+    /**
+     * Method returns Secret Key from request
+     *
+     * @return mixed
+     * @throws oxSystemComponentException
+     */
+    protected function _getSecretKey()
+    {
+        $secretKey = $this->_getContainer()->getConfig()->getRequestParameter('key');
+
+        if ($secretKey !== null) {
+            return $secretKey;
+        }
+
+        $this->setViewData(array('sError' => "No Secret Key given"));
+        return false;
+    }
+
+    /**
+     * Method that verifys the Secret Key from request
+     *
+     * @return bool
+     * @throws oxSystemComponentException
+     */
+    protected function _verifySecretKey()
+    {
+        $sCronSecretkeyParameter = $this->_getSecretKey();
+        $sCronSecretkey = $this->_getContainer()->getConfig()->getConfigParam('sAmazonCronSecretKey');
+
+        if ($sCronSecretkeyParameter === false ||  $sCronSecretkey !== $sCronSecretkeyParameter) {
+            $this->setViewData(array(
+                'sError' => 'Wrong Secret Key given.'
+            ));
+
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * Method returns Order object
      *
@@ -413,6 +454,10 @@ public function amazonCall()
         $sOperation = $this->_getOperationName();
         $allowedOperations = array('processorderreference', 'getorderreferencedetails', 'setorderreferencedetails', 'confirmorderreference', 'cancelorderreference', 'closeorderreference', 'closeauthorization', 'authorize', 'processauthorization', 'getauthorizationdetails', 'getauthorizationdetails', 'setcapturestate', 'capture', 'getcapturedetails', 'savecapture', 'refund', 'updaterefund', 'getrefunddetails', 'setorderattributes', 'processamazonlogin');
 
+        if ($this->_verifySecretKey() !== true) {
+            return;
+        }
+
         if ($sOperation !== false && in_array(strtolower($sOperation), $allowedOperations)) {
             $oResult = $this->_getContainer()->getClient()->{$sOperation}(
                 $order = $this->_getOrder(),

application/views/admin/de/bestitamazonpay4oxid_lang.php

@@ -15,6 +15,8 @@
     'SHOP_MODULE_blAmazonSandboxActive'                    => 'Sandbox-Modus',
     'SHOP_MODULE_sAmazonSellerId'                          => 'Händler-ID (Händlernummer)',
     'SHOP_MODULE_sAmazonAWSAccessKeyId'                    => 'Amazon MWS-Zugangsschlüssel',
+    'SHOP_MODULE_sAmazonCronSecretKey'                          => 'Cron geheimer Schlüssel',
+    'SHOP_MODULE_blGenerateNewAmazonCronSecretKey'          => 'Wenn der Haken gesetzt ist wird ein neuer Cron Secret Key generiert wenn die Konfigurationen gespeichert werden. Beachten Sie das Serverseitige CronJobs mit dem key angepasst werden müssen!',
     'SHOP_MODULE_sAmazonSignature'                         => 'MWS geheimer Schlüssel',
     'SHOP_MODULE_blAmazonLogging'                          => 'Logs speichern',
     'SHOP_MODULE_blAmazonLoggingLevel'                     => 'Log Level',

application/views/admin/en/bestitamazonpay4oxid_lang.php

@@ -15,6 +15,8 @@
     'SHOP_MODULE_blAmazonSandboxActive'                     => 'Sandbox mode',
     'SHOP_MODULE_sAmazonSellerId'                           => 'Seller (Merchant) ID',
     'SHOP_MODULE_sAmazonAWSAccessKeyId'                     => 'Amazon MWS key',
+    'SHOP_MODULE_sAmazonCronSecretKey'                          => 'Cron Secret Key',
+    'SHOP_MODULE_blGenerateNewAmazonCronSecretKey'          => 'If checked generates a new Cron Secret Key up on saving. Keep in mind to update your server CronJobs with the new key.',
     'SHOP_MODULE_sAmazonSignature'                          => 'MWS Secret Key',
     'SHOP_MODULE_blAmazonLogging'                           => 'Logging enabled',
     'SHOP_MODULE_blAmazonLoggingLevel'                     => 'Log Level',

application/views/admin/tpl/bestitamazonpay4oxid_main.tpl

@@ -225,17 +225,17 @@
                     <tr><td colspan="3"><b>[{oxmultilang ident="BESTIT_AMAZON_SELECT_ACTION"}]:</b></td></tr>
                     <tr>
                         <td valign="top">
-                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=GetOrderReferenceDetails&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">GetOrderReferenceDetails</a></div>
-                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=Authorize&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">Authorize</a></div>
-                            [{if $edit->oxorder__bestitamazonauthorizationid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=GetAuthorizationDetails&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">GetAuthorizationDetails</a></div>[{/if}]
-                            [{if $edit->oxorder__bestitamazonauthorizationid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=Capture&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">Capture</a></div>[{/if}]
-                            [{if $edit->oxorder__bestitamazoncaptureid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=GetCaptureDetails&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">GetCaptureDetails</a></div>[{/if}]
+                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=GetOrderReferenceDetails&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">GetOrderReferenceDetails</a></div>
+                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=Authorize&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">Authorize</a></div>
+                            [{if $edit->oxorder__bestitamazonauthorizationid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=GetAuthorizationDetails&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">GetAuthorizationDetails</a></div>[{/if}]
+                            [{if $edit->oxorder__bestitamazonauthorizationid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=Capture&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">Capture</a></div>[{/if}]
+                            [{if $edit->oxorder__bestitamazoncaptureid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=GetCaptureDetails&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">GetCaptureDetails</a></div>[{/if}]
                         </td>
                         <td width="5%">&nbsp;</td>
                         <td valign="top">
-                            [{if $edit->oxorder__bestitamazonauthorizationid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=CloseAuthorization&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">CloseAuthorization</a></div>[{/if}]
-                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=CancelOrderReference&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">CancelOrderReference</a></div>
-                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=CloseOrderReference&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">CloseOrderReference</a></div>
+                            [{if $edit->oxorder__bestitamazonauthorizationid->value}]<div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=CloseAuthorization&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">CloseAuthorization</a></div>[{/if}]
+                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=CancelOrderReference&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">CancelOrderReference</a></div>
+                            <div><a href="[{$oConfig->getShopURL()}]index.php?cl=bestitamazoncron&fnc=amazonCall&operation=CloseOrderReference&key=[{$oViewConf->getAmazonConfigValue('sAmazonCronSecretKey')}]&oxid=[{$oxid}]&shp=[{$oConfig->getShopId()}]" target="_blank">CloseOrderReference</a></div>
                         </td>
                     </tr>
                 </table>

composer.json

@@ -4,7 +4,7 @@
   "type": "oxideshop-module",
   "keywords": ["oxid", "modules", "eShop"],
   "homepage": "https://www.bestit-online.de",
-  "version": "3.6.5",
+  "version": "3.6.6",
   "license": [
     "GPL-3.0-only",
     "proprietary"

ext/bestitamazonpay4oxid_module_config.php

@@ -37,7 +37,7 @@ protected function _parentSaveConfVars()
 
     /**
      * Extends the save config variable function to store the amazon config vars
-     * from the provided config json object.
+     * from the provided config json object or generate a new cron secret key
      * @throws oxSystemComponentException
      */
     public function saveConfVars()
@@ -63,11 +63,54 @@ public function saveConfVars()
                         $_POST[$sMainKey][$sSubKey] = $aQuickConfig[$sAmazonKey];
                     }
                 }
+
+                if ((bool) $_POST['confbools']['blGenerateNewAmazonCronSecretKey'] === true) {
+                    $_POST['confbools']['blGenerateNewAmazonCronSecretKey'] = false;
+                    $_POST['confstrs']['sAmazonCronSecretKey'] = self::_generatePassword();
+                }
             } catch (\Exception $oException) {
                 //Do nothing
             }
         }
 
         $this->_parentSaveConfVars();
     }
+
+    /**
+     * @see https://gist.github.com/tylerhall/521810
+     * Generates a strong password of N length containing at least one lower case letter,
+     * one uppercase letter and one digit. The remaining characters
+     * in the password are chosen at random from those four sets.
+     *
+     * The available characters in each set are user friendly - there are no ambiguous
+     * characters such as i, l, 1, o, 0, etc. This makes it much easier for users to manually
+     * type or speak their passwords.
+     *
+     * @param int $length
+     *
+     * @return string
+     */
+    protected static function _generatePassword($length = 15)
+    {
+        $sets = array();
+        $sets[] = 'abcdefghjkmnpqrstuvwxyz';
+        $sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
+        $sets[] = '23456789';
+
+        $pool = '';
+        $password = '';
+
+        foreach ($sets as $set) {
+            $password .= $set[array_rand(str_split($set))];
+            $pool .= $set;
+        }
+
+        $pool = str_split($pool);
+        for ($i = 0; $i < $length - count($sets); ++$i) {
+            $password .= $pool[array_rand($pool)];
+        }
+        $password = str_shuffle($password);
+
+        return $password;
+    }
 }

metadata.php

@@ -40,7 +40,7 @@
 		<b style="color: red">Wenn Sie das Modul von einer vorhergehenden Version updaten muss das Module deaktivert und erneut aktiviert werden</b>'
     ),
     'thumbnail' => 'bestitamazonpay4oxid_logo.png',
-    'version' => '3.6.5',
+    'version' => '3.6.6',
     'author' => 'best it GmbH & Co. KG',
     'url' => 'http://www.bestit-online.de',
     'email' => '[email protected]',
@@ -205,12 +205,26 @@
             'value' => '',
             'position' => 4
         ),
+        array(
+            'group' => 'bestitAmazonPay4OxidSettings',
+            'name' => 'sAmazonCronSecretKey',
+            'type' => 'str',
+            'value' => '',
+            'position' => 5
+        ),
+        array(
+            'group' => 'bestitAmazonPay4OxidSettings',
+            'name' => 'blGenerateNewAmazonCronSecretKey',
+            'type' => 'bool',
+            'value' => 'false',
+            'position' => 6
+        ),
         array(
             'group' => 'bestitAmazonPay4OxidSettings',
             'name' => 'blAmazonLogging',
             'type' => 'bool',
             'value' => 'true',
-            'position' => 5
+            'position' => 7
         ),
         array(
             'group' => 'bestitAmazonPay4OxidSettings',

tests/unit/application/controllers/admin/bestitAmazonPay4OxidInitTest.php

@@ -190,26 +190,32 @@ public function testOnActivate()
                 '2.3.0'
             ));
 
-        $oConfig->expects($this->exactly(8))
+        $oConfig->expects($this->exactly(11))
             ->method('getConfigParam')
             ->withConsecutive(
                 array('blBestitAmazonPay4OxidEnableMultiCurrency'),
+                array('sAmazonCronSecretKey'),
                 array('sCompileDir'),
                 array('sAmazonMode'),
                 array('blBestitAmazonPay4OxidEnableMultiCurrency'),
+                array('sAmazonCronSecretKey'),
                 array('sCompileDir'),
                 array('sAmazonMode'),
                 array('blBestitAmazonPay4OxidEnableMultiCurrency'),
+                array('sAmazonCronSecretKey'),
                 array('sCompileDir')
             )
             ->will($this->onConsecutiveCalls(
                 false,
+                1234,
                 $this->oRoot->url(),
                 'Sync',
                 false,
+                1234,
                 $this->oRoot->url(),
                 'Async',
                 true,
+                1234,
                 $this->oRoot->url()
             ));