Issues in Manager.php - New Issues - Inspection of "Moves `get_access_token` to Connection package." - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — add/jetpack-data-methods ( d7e5a6...2c93cb )

unknown

created 2019-06-06 00:20 UTC

packages/connection/src/Manager.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * The Jetpack Connection manager class file.
 *
 * @package jetpack-connection
 */

namespace Automattic\Jetpack\Connection;

use Automattic\Jetpack\Connection\Manager_Interface;
use Automattic\Jetpack\Constants\Manager as Constants_Manager;

/**
 * The Jetpack Connection Manager class that is used as a single gateway between WordPress.com
 * and Jetpack.
 */
class Manager implements Manager_Interface {

	const SECRETS_MISSING        = 'secrets_missing';
	const SECRETS_EXPIRED        = 'secrets_expired';
	const SECRETS_OPTION_NAME    = 'jetpack_secrets';
	const MAGIC_NORMAL_TOKEN_KEY = ';normal;';
	const JETPACK_MASTER_USER    = true;

	/**
	 * The procedure that should be run to generate secrets.
	 *
	 * @var Callable
	 */
	protected $secret_callable;

	/**
	 * Initializes all needed hooks and request handlers. Handles API calls, upload
	 * requests, authentication requests. Also XMLRPC options requests.
	 * Fallback XMLRPC is also a bridge, but probably can be a class that inherits
	 * this one. Among other things it should strip existing methods.
	 *
	 * @param Array $methods an array of API method names for the Connection to accept and
	 *                       pass on to existing callables. It's possible to specify whether
	 *                       each method should be available for unauthenticated calls or not.
	 * @see Jetpack::__construct
	 */
	public function initialize( $methods ) {
		$methods;
	}

	/**
	 * Returns true if the current site is connected to WordPress.com.
	 *
	 * @return Boolean is the site connected?
	 */
	public function is_active() {
		return false;
	}

	/**
	 * Returns true if the user with the specified identifier is connected to
	 * WordPress.com.
	 *
	 * @param Integer $user_id the user identifier.
	 * @return Boolean is the user connected?
	 */
	public function is_user_connected( $user_id ) {
		return $user_id;
	}

	/**
	 * Get the wpcom user data of the current|specified connected user.
	 *
	 * @param Integer $user_id the user identifier.
	 * @return Object the user object.
	 */
	public function get_connected_user_data( $user_id ) {
		return $user_id;
	}

	/**
	 * Is the user the connection owner.
	 *
	 * @param Integer $user_id the user identifier.
	 * @return Boolean is the user the connection owner?
	 */
	public function is_connection_owner( $user_id ) {
		return $user_id;
	}

	/**
	 * Unlinks the current user from the linked WordPress.com user
	 *
	 * @param Integer $user_id the user identifier.
	 */
	public static function disconnect_user( $user_id ) {
		return $user_id;
	}

	/**
	 * Initializes a transport server, whatever it may be, saves into the object property.
	 * Should be changed to be protected.
	 */
	public function initialize_server() {

	}

	/**
	 * Checks if the current request is properly authenticated, bails if not.
	 * Should be changed to be protected.
	 */
	public function require_authentication() {

	}

	/**
	 * Verifies the correctness of the request signature.
	 * Should be changed to be protected.
	 */
	public function verify_signature() {

	}

	/**
	 * Attempts Jetpack registration which sets up the site for connection. Should
	 * remain public because the call to action comes from the current site, not from
	 * WordPress.com.
	 *
	 * @return Integer zero on success, or a bitmask on failure.
	 */
	public function register() {
		return 0;
	}

	/**
	 * Returns the callable that would be used to generate secrets.
	 *
	 * @return Callable a function that returns a secure string to be used as a secret.
	 */
	protected function get_secret_callable() {
		if ( ! isset( $this->secret_callable ) ) {
			/**
			 * Allows modification of the callable that is used to generate connection secrets.
			 *
			 * @param Callable a function or method that returns a secret string.
			 */
			$this->secret_callable = apply_filters( 'jetpack_connection_secret_generator', 'wp_generate_password' );
		}

		return $this->secret_callable;
	}

	/**
	 * Generates two secret tokens and the end of life timestamp for them.
	 *
	 * @param String  $action  The action name.
	 * @param Integer $user_id The user identifier.
	 * @param Integer $exp     Expiration time in seconds.
	 */
	public function generate_secrets( $action, $user_id, $exp ) {
		$callable = $this->get_secret_callable();

		$secrets = \Jetpack_Options::get_raw_option(
			self::SECRETS_OPTION_NAME,
			array()
		);

		$secret_name = 'jetpack_' . $action . '_' . $user_id;

		if (
			isset( $secrets[ $secret_name ] ) &&
			$secrets[ $secret_name ]['exp'] > time()
		) {
			return $secrets[ $secret_name ];
		}

		$secret_value = array(
			'secret_1' => call_user_func( $callable ),
			'secret_2' => call_user_func( $callable ),
			'exp'      => time() + $exp,
		);

		$secrets[ $secret_name ] = $secret_value;

		\Jetpack_Options::update_raw_option( self::SECRETS_OPTION_NAME, $secrets );
		return $secrets[ $secret_name ];
	}

	/**
	 * Returns two secret tokens and the end of life timestamp for them.
	 *
	 * @param String  $action  The action name.
	 * @param Integer $user_id The user identifier.
	 * @return string|array an array of secrets or an error string.
	 */
	public function get_secrets( $action, $user_id ) {
		$secret_name = 'jetpack_' . $action . '_' . $user_id;
		$secrets     = \Jetpack_Options::get_raw_option(
			self::SECRETS_OPTION_NAME,
			array()
		);

		if ( ! isset( $secrets[ $secret_name ] ) ) {
			return self::SECRETS_MISSING;
		}

		if ( $secrets[ $secret_name ]['exp'] < time() ) {
			$this->delete_secrets( $action, $user_id );
			return self::SECRETS_EXPIRED;
		}

		return $secrets[ $secret_name ];
	}

	/**
	 * Deletes secret tokens in case they, for example, have expired.
	 *
	 * @param String  $action  The action name.
	 * @param Integer $user_id The user identifier.
	 */
	public function delete_secrets( $action, $user_id ) {
		$secret_name = 'jetpack_' . $action . '_' . $user_id;
		$secrets     = \Jetpack_Options::get_raw_option(
			self::SECRETS_OPTION_NAME,
			array()
		);
		if ( isset( $secrets[ $secret_name ] ) ) {
			unset( $secrets[ $secret_name ] );
			\Jetpack_Options::update_raw_option( self::SECRETS_OPTION_NAME, $secrets );
		}
	}

	/**
	 * Responds to a WordPress.com call to register the current site.
	 * Should be changed to protected.
	 */
	public function handle_registration() {

	}

	/**
	 * Responds to a WordPress.com call to authorize the current user.
	 * Should be changed to protected.
	 */
	public function handle_authorization() {

	}

	/**
	 * Builds a URL to the Jetpack connection auth page.
	 * This needs rethinking.
	 *
	 * @param bool        $raw If true, URL will not be escaped.
	 * @param bool|string $redirect If true, will redirect back to Jetpack wp-admin landing page after connection.
	 *                              If string, will be a custom redirect.
	 * @param bool|string $from If not false, adds 'from=$from' param to the connect URL.
	 * @param bool        $register If true, will generate a register URL regardless of the existing token, since 4.9.0.
	 *
	 * @return string Connect URL
	 */
	public function build_connect_url( $raw, $redirect, $from, $register ) {
		return array( $raw, $redirect, $from, $register );
	}

	/**
	 * Disconnects from the Jetpack servers.
	 * Forgets all connection details and tells the Jetpack servers to do the same.
	 */
	public function disconnect_site() {

	}

	/**
	 * This function mirrors Jetpack_Data::is_usable_domain() in the WPCOM codebase.
	 *
	 * @param string $domain The domain to check.
	 *
	 * @return bool|WP_Error
	 */
	public function is_usable_domain( $domain ) {

		// If it's empty, just fail out.
		if ( ! $domain ) {
			return new WP_Error(
				'fail_domain_empty',
				/* translators: %1$s is a domain name. */
				sprintf( __( 'Domain `%1$s` just failed is_usable_domain check as it is empty.', 'jetpack' ), $domain )
			);
		}

		/**
		 * Skips the usuable domain check when connecting a site.
		 *
		 * Allows site administrators with domains that fail gethostname-based checks to pass the request to WP.com
		 *
		 * @since 4.1.0
		 *
		 * @param bool If the check should be skipped. Default false.
		 */
		if ( apply_filters( 'jetpack_skip_usuable_domain_check', false ) ) {
			return true;
		}

		// None of the explicit localhosts.
		$forbidden_domains = array(
			'wordpress.com',
			'localhost',
			'localhost.localdomain',
			'127.0.0.1',
			'local.wordpress.test',         // VVV pattern.
			'local.wordpress-trunk.test',   // VVV pattern.
			'src.wordpress-develop.test',   // VVV pattern.
			'build.wordpress-develop.test', // VVV pattern.
		);
		if ( in_array( $domain, $forbidden_domains, true ) ) {
			return new WP_Error(
				'fail_domain_forbidden',
				sprintf(
					/* translators: %1$s is a domain name. */
					__(
						'Domain `%1$s` just failed is_usable_domain check as it is in the forbidden array.',
						'jetpack'
					),
					$domain
				)
			);
		}

		// No .test or .local domains.
		if ( preg_match( '#\.(test|local)$#i', $domain ) ) {
			return new WP_Error(
				'fail_domain_tld',
				sprintf(
					/* translators: %1$s is a domain name. */
					__(
						'Domain `%1$s` just failed is_usable_domain check as it uses an invalid top level domain.',
						'jetpack'
					),
					$domain
				)
			);
		}

		// No WPCOM subdomains.
		if ( preg_match( '#\.WordPress\.com$#i', $domain ) ) {
			return new WP_Error(
				'fail_subdomain_wpcom',
				sprintf(
					/* translators: %1$s is a domain name. */
					__(
						'Domain `%1$s` just failed is_usable_domain check as it is a subdomain of WordPress.com.',
						'jetpack'
					),
					$domain
				)
			);
		}

		// If PHP was compiled without support for the Filter module (very edge case).
		if ( ! function_exists( 'filter_var' ) ) {
			// Just pass back true for now, and let wpcom sort it out.
			return true;
		}

		return true;
	}

	/**
	 * Gets the requested token.
	 *
	 * Tokens are one of two types:
	 * 1. Blog Tokens: These are the "main" tokens. Each site typically has one Blog Token,
	 *    though some sites can have multiple "Special" Blog Tokens (see below). These tokens
	 *    are not associated with a user account. They represent the site's connection with
	 *    the Jetpack servers.
	 * 2. User Tokens: These are "sub-"tokens. Each connected user account has one User Token.
	 *
	 * All tokens look like "{$token_key}.{$private}". $token_key is a public ID for the
	 * token, and $private is a secret that should never be displayed anywhere or sent
	 * over the network; it's used only for signing things.
	 *
	 * Blog Tokens can be "Normal" or "Special".
	 * * Normal: The result of a normal connection flow. They look like
	 *   "{$random_string_1}.{$random_string_2}"
	 *   That is, $token_key and $private are both random strings.
	 *   Sites only have one Normal Blog Token. Normal Tokens are found in either
	 *   Jetpack_Options::get_option( 'blog_token' ) (usual) or the JETPACK_BLOG_TOKEN
	 *   constant (rare).
	 * * Special: A connection token for sites that have gone through an alternative
	 *   connection flow. They look like:
	 *   ";{$special_id}{$special_version};{$wpcom_blog_id};.{$random_string}"
	 *   That is, $private is a random string and $token_key has a special structure with
	 *   lots of semicolons.
	 *   Most sites have zero Special Blog Tokens. Special tokens are only found in the
	 *   JETPACK_BLOG_TOKEN constant.
	 *
	 * In particular, note that Normal Blog Tokens never start with ";" and that
	 * Special Blog Tokens always do.
	 *
	 * When searching for a matching Blog Tokens, Blog Tokens are examined in the following
	 * order:
	 * 1. Defined Special Blog Tokens (via the JETPACK_BLOG_TOKEN constant)
	 * 2. Stored Normal Tokens (via Jetpack_Options::get_option( 'blog_token' ))
	 * 3. Defined Normal Tokens (via the JETPACK_BLOG_TOKEN constant)
	 *
	 * @param int|false    $user_id   false: Return the Blog Token. int: Return that user's User Token.
	 * @param string|false $token_key If provided, check that the token matches the provided input.
	 *
	 * @return object|false
	 */
	public function get_access_token( $user_id = false, $token_key = false ) {
		$possible_special_tokens = array();
		$possible_normal_tokens  = array();
		$user_tokens             = \Jetpack_Options::get_option( 'user_tokens' );

		if ( $user_id ) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
			if ( ! $user_tokens ) {
				return false;
			}
			if ( self::JETPACK_MASTER_USER === $user_id ) {
				$user_id = \Jetpack_Options::get_option( 'master_user' );
				if ( ! $user_id ) {
					return false;
				}
			}
			if ( ! isset( $user_tokens[ $user_id ] ) || ! $user_tokens[ $user_id ] ) {
				return false;
			}
			$user_token_chunks = explode( '.', $user_tokens[ $user_id ] );
			if ( empty( $user_token_chunks[1] ) || empty( $user_token_chunks[2] ) ) {
				return false;
			}
			if ( $user_id != $user_token_chunks[2] ) {
				return false;
			}
			$possible_normal_tokens[] = "{$user_token_chunks[0]}.{$user_token_chunks[1]}";
		} else {
			$stored_blog_token = \Jetpack_Options::get_option( 'blog_token' );
			if ( $stored_blog_token ) {
				$possible_normal_tokens[] = $stored_blog_token;
			}

			$defined_tokens = Constants_Manager::is_defined( 'JETPACK_BLOG_TOKEN' )
				? explode( ',', Constants_Manager::get_constant( 'JETPACK_BLOG_TOKEN' ) )
				: array();

			foreach ( $defined_tokens as $defined_token ) {
				if ( ';' === $defined_token[0] ) {
					$possible_special_tokens[] = $defined_token;
				} else {
					$possible_normal_tokens[] = $defined_token;
				}
			}
		}

		if ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
			$possible_tokens = $possible_normal_tokens;
		} else {
			$possible_tokens = array_merge( $possible_special_tokens, $possible_normal_tokens );
		}

		if ( ! $possible_tokens ) {
			return false;
		}

		$valid_token = false;

		if ( false === $token_key ) {
			// Use first token.
			$valid_token = $possible_tokens[0];
		} elseif ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
			// Use first normal token.
			$valid_token = $possible_tokens[0]; // $possible_tokens only contains normal tokens because of earlier check.
		} else {
			// Use the token matching $token_key or false if none.
			// Ensure we check the full key.
			$token_check = rtrim( $token_key, '.' ) . '.';

			foreach ( $possible_tokens as $possible_token ) {
				if ( hash_equals( substr( $possible_token, 0, strlen( $token_check ) ), $token_check ) ) {
					$valid_token = $possible_token;
					break;
				}
			}
		}

		if ( ! $valid_token ) {
			return false;
		}

		return (object) array(
			'secret'           => $valid_token,
			'external_user_id' => (int) $user_id,
		);
	}
}


1		<?php
2		/**
3		* The Jetpack Connection manager class file.
4		*
5		* @package jetpack-connection
6		*/
7
8		namespace Automattic\Jetpack\Connection;
9
10		use Automattic\Jetpack\Connection\Manager_Interface;
11		use Automattic\Jetpack\Constants\Manager as Constants_Manager;
12
13		/**
14		* The Jetpack Connection Manager class that is used as a single gateway between WordPress.com
15		* and Jetpack.
16		*/
17		class Manager implements Manager_Interface {
18
19		const SECRETS_MISSING = 'secrets_missing';
20		const SECRETS_EXPIRED = 'secrets_expired';
21		const SECRETS_OPTION_NAME = 'jetpack_secrets';
22		const MAGIC_NORMAL_TOKEN_KEY = ';normal;';
23		const JETPACK_MASTER_USER = true;
24
25		/**
26		* The procedure that should be run to generate secrets.
27		*
28		* @var Callable
29		*/
30		protected $secret_callable;
31
32		/**
33		* Initializes all needed hooks and request handlers. Handles API calls, upload
34		* requests, authentication requests. Also XMLRPC options requests.
35		* Fallback XMLRPC is also a bridge, but probably can be a class that inherits
36		* this one. Among other things it should strip existing methods.
37		*
38		* @param Array $methods an array of API method names for the Connection to accept and
39		* pass on to existing callables. It's possible to specify whether
40		* each method should be available for unauthenticated calls or not.
41		* @see Jetpack::__construct
42		*/
43		public function initialize( $methods ) {
44		$methods;
45		}
46
47		/**
48		* Returns true if the current site is connected to WordPress.com.
49		*
50		* @return Boolean is the site connected?
51		*/
52		public function is_active() {
53		return false;
54		}
55
56		/**
57		* Returns true if the user with the specified identifier is connected to
58		* WordPress.com.
59		*
60		* @param Integer $user_id the user identifier.
61		* @return Boolean is the user connected?
62		*/
63		public function is_user_connected( $user_id ) {
64		return $user_id;
65		}
66
67		/**
68		* Get the wpcom user data of the current\|specified connected user.
69		*
70		* @param Integer $user_id the user identifier.
71		* @return Object the user object.
72		*/
73		public function get_connected_user_data( $user_id ) {
74		return $user_id;
75		}
76
77		/**
78		* Is the user the connection owner.
79		*
80		* @param Integer $user_id the user identifier.
81		* @return Boolean is the user the connection owner?
82		*/
83		public function is_connection_owner( $user_id ) {
84		return $user_id;
85		}
86
87		/**
88		* Unlinks the current user from the linked WordPress.com user
89		*
90		* @param Integer $user_id the user identifier.
91		*/
92		public static function disconnect_user( $user_id ) {
93		return $user_id;
94		}
95
96		/**
97		* Initializes a transport server, whatever it may be, saves into the object property.
98		* Should be changed to be protected.
99		*/
100		public function initialize_server() {
101
102		}
103
104		/**
105		* Checks if the current request is properly authenticated, bails if not.
106		* Should be changed to be protected.
107		*/
108		public function require_authentication() {
109
110		}
111
112		/**
113		* Verifies the correctness of the request signature.
114		* Should be changed to be protected.
115		*/
116		public function verify_signature() {
117
118		}
119
120		/**
121		* Attempts Jetpack registration which sets up the site for connection. Should
122		* remain public because the call to action comes from the current site, not from
123		* WordPress.com.
124		*
125		* @return Integer zero on success, or a bitmask on failure.
126		*/
127		public function register() {
128		return 0;
129		}
130
131		/**
132		* Returns the callable that would be used to generate secrets.
133		*
134		* @return Callable a function that returns a secure string to be used as a secret.
135		*/
136		protected function get_secret_callable() {
137		if ( ! isset( $this->secret_callable ) ) {
138		/**
139		* Allows modification of the callable that is used to generate connection secrets.
140		*
141		* @param Callable a function or method that returns a secret string.
142		*/
143		$this->secret_callable = apply_filters( 'jetpack_connection_secret_generator', 'wp_generate_password' );
144		}
145
146		return $this->secret_callable;
147		}
148
149		/**
150		* Generates two secret tokens and the end of life timestamp for them.
151		*
152		* @param String $action The action name.
153		* @param Integer $user_id The user identifier.
154		* @param Integer $exp Expiration time in seconds.
155		*/
156		public function generate_secrets( $action, $user_id, $exp ) {
157		$callable = $this->get_secret_callable();
158
159		$secrets = \Jetpack_Options::get_raw_option(
160		self::SECRETS_OPTION_NAME,
161		array()
162		);
163
164		$secret_name = 'jetpack_' . $action . '_' . $user_id;
165
166		if (
167		isset( $secrets[ $secret_name ] ) &&
168		$secrets[ $secret_name ]['exp'] > time()
169		) {
170		return $secrets[ $secret_name ];
171		}
172
173		$secret_value = array(
174		'secret_1' => call_user_func( $callable ),
175		'secret_2' => call_user_func( $callable ),
176		'exp' => time() + $exp,
177		);
178
179		$secrets[ $secret_name ] = $secret_value;
180
181		\Jetpack_Options::update_raw_option( self::SECRETS_OPTION_NAME, $secrets );
182		return $secrets[ $secret_name ];
183		}
184
185		/**
186		* Returns two secret tokens and the end of life timestamp for them.
187		*
188		* @param String $action The action name.
189		* @param Integer $user_id The user identifier.
190		* @return string\|array an array of secrets or an error string.
191		*/
192		public function get_secrets( $action, $user_id ) {
193		$secret_name = 'jetpack_' . $action . '_' . $user_id;
194		$secrets = \Jetpack_Options::get_raw_option(
195		self::SECRETS_OPTION_NAME,
196		array()
197		);
198
199		if ( ! isset( $secrets[ $secret_name ] ) ) {
200		return self::SECRETS_MISSING;
201		}
202
203		if ( $secrets[ $secret_name ]['exp'] < time() ) {
204		$this->delete_secrets( $action, $user_id );
205		return self::SECRETS_EXPIRED;
206		}
207
208		return $secrets[ $secret_name ];
209		}
210
211		/**
212		* Deletes secret tokens in case they, for example, have expired.
213		*
214		* @param String $action The action name.
215		* @param Integer $user_id The user identifier.
216		*/
217		public function delete_secrets( $action, $user_id ) {
218		$secret_name = 'jetpack_' . $action . '_' . $user_id;
219		$secrets = \Jetpack_Options::get_raw_option(
220		self::SECRETS_OPTION_NAME,
221		array()
222		);
223		if ( isset( $secrets[ $secret_name ] ) ) {
224		unset( $secrets[ $secret_name ] );
225		\Jetpack_Options::update_raw_option( self::SECRETS_OPTION_NAME, $secrets );
226		}
227		}
228
229		/**
230		* Responds to a WordPress.com call to register the current site.
231		* Should be changed to protected.
232		*/
233		public function handle_registration() {
234
235		}
236
237		/**
238		* Responds to a WordPress.com call to authorize the current user.
239		* Should be changed to protected.
240		*/
241		public function handle_authorization() {
242
243		}
244
245		/**
246		* Builds a URL to the Jetpack connection auth page.
247		* This needs rethinking.
248		*
249		* @param bool $raw If true, URL will not be escaped.
250		* @param bool\|string $redirect If true, will redirect back to Jetpack wp-admin landing page after connection.
251		* If string, will be a custom redirect.
252		* @param bool\|string $from If not false, adds 'from=$from' param to the connect URL.
253		* @param bool $register If true, will generate a register URL regardless of the existing token, since 4.9.0.
254		*
255		* @return string Connect URL
256		*/
257		public function build_connect_url( $raw, $redirect, $from, $register ) {
258		return array( $raw, $redirect, $from, $register );
259		}
260
261		/**
262		* Disconnects from the Jetpack servers.
263		* Forgets all connection details and tells the Jetpack servers to do the same.
264		*/
265		public function disconnect_site() {
266
267		}
268
269		/**
270		* This function mirrors Jetpack_Data::is_usable_domain() in the WPCOM codebase.
271		*
272		* @param string $domain The domain to check.
273		*
274		* @return bool\|WP_Error
275		*/
276		public function is_usable_domain( $domain ) {
277
278		// If it's empty, just fail out.
279		if ( ! $domain ) {
280		return new WP_Error(
281		'fail_domain_empty',
282		/* translators: %1$s is a domain name. */
283		sprintf( __( 'Domain `%1$s` just failed is_usable_domain check as it is empty.', 'jetpack' ), $domain )
284		);
285		}
286
287		/**
288		* Skips the usuable domain check when connecting a site.
289		*
290		* Allows site administrators with domains that fail gethostname-based checks to pass the request to WP.com
291		*
292		* @since 4.1.0
293		*
294		* @param bool If the check should be skipped. Default false.
295		*/
296		if ( apply_filters( 'jetpack_skip_usuable_domain_check', false ) ) {
297		return true;
298		}
299
300		// None of the explicit localhosts.
301		$forbidden_domains = array(
302		'wordpress.com',
303		'localhost',
304		'localhost.localdomain',
305		'127.0.0.1',
306		'local.wordpress.test', // VVV pattern.
307		'local.wordpress-trunk.test', // VVV pattern.
308		'src.wordpress-develop.test', // VVV pattern.
309		'build.wordpress-develop.test', // VVV pattern.
310		);
311		if ( in_array( $domain, $forbidden_domains, true ) ) {
312		return new WP_Error(
313		'fail_domain_forbidden',
314		sprintf(
315		/* translators: %1$s is a domain name. */
316		__(
317		'Domain `%1$s` just failed is_usable_domain check as it is in the forbidden array.',
318		'jetpack'
319		),
320		$domain
321		)
322		);
323		}
324
325		// No .test or .local domains.
326	View Code Duplication	if ( preg_match( '#\.(test\|local)$#i', $domain ) ) {
327		return new WP_Error(
328		'fail_domain_tld',
329		sprintf(
330		/* translators: %1$s is a domain name. */
331		__(
332		'Domain `%1$s` just failed is_usable_domain check as it uses an invalid top level domain.',
333		'jetpack'
334		),
335		$domain
336		)
337		);
338		}
339
340		// No WPCOM subdomains.
341	View Code Duplication	if ( preg_match( '#\.WordPress\.com$#i', $domain ) ) {
342		return new WP_Error(
343		'fail_subdomain_wpcom',
344		sprintf(
345		/* translators: %1$s is a domain name. */
346		__(
347		'Domain `%1$s` just failed is_usable_domain check as it is a subdomain of WordPress.com.',
348		'jetpack'
349		),
350		$domain
351		)
352		);
353		}
354
355		// If PHP was compiled without support for the Filter module (very edge case).
356		if ( ! function_exists( 'filter_var' ) ) {
357		// Just pass back true for now, and let wpcom sort it out.
358		return true;
359		}
360
361		return true;
362		}
363
364		/**
365		* Gets the requested token.
366		*
367		* Tokens are one of two types:
368		* 1. Blog Tokens: These are the "main" tokens. Each site typically has one Blog Token,
369		* though some sites can have multiple "Special" Blog Tokens (see below). These tokens
370		* are not associated with a user account. They represent the site's connection with
371		* the Jetpack servers.
372		* 2. User Tokens: These are "sub-"tokens. Each connected user account has one User Token.
373		*
374		* All tokens look like "{$token_key}.{$private}". $token_key is a public ID for the
375		* token, and $private is a secret that should never be displayed anywhere or sent
376		* over the network; it's used only for signing things.
377		*
378		* Blog Tokens can be "Normal" or "Special".
379		* * Normal: The result of a normal connection flow. They look like
380		* "{$random_string_1}.{$random_string_2}"
381		* That is, $token_key and $private are both random strings.
382		* Sites only have one Normal Blog Token. Normal Tokens are found in either
383		* Jetpack_Options::get_option( 'blog_token' ) (usual) or the JETPACK_BLOG_TOKEN
384		* constant (rare).
385		* * Special: A connection token for sites that have gone through an alternative
386		* connection flow. They look like:
387		* ";{$special_id}{$special_version};{$wpcom_blog_id};.{$random_string}"
388		* That is, $private is a random string and $token_key has a special structure with
389		* lots of semicolons.
390		* Most sites have zero Special Blog Tokens. Special tokens are only found in the
391		* JETPACK_BLOG_TOKEN constant.
392		*
393		* In particular, note that Normal Blog Tokens never start with ";" and that
394		* Special Blog Tokens always do.
395		*
396		* When searching for a matching Blog Tokens, Blog Tokens are examined in the following
397		* order:
398		* 1. Defined Special Blog Tokens (via the JETPACK_BLOG_TOKEN constant)
399		* 2. Stored Normal Tokens (via Jetpack_Options::get_option( 'blog_token' ))
400		* 3. Defined Normal Tokens (via the JETPACK_BLOG_TOKEN constant)
401		*
402		* @param int\|false $user_id false: Return the Blog Token. int: Return that user's User Token.
403		* @param string\|false $token_key If provided, check that the token matches the provided input.
404		*
405		* @return object\|false
406		*/
407		public function get_access_token( $user_id = false, $token_key = false ) {
408		$possible_special_tokens = array();
409		$possible_normal_tokens = array();
410		$user_tokens = \Jetpack_Options::get_option( 'user_tokens' );
411
412		if ( $user_id ) {
		0 ignored issues – show Bug Best Practice introduced 2019-06-06 00:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$user_id` of type `false\|integer` is loosely compared to `true`; this is ambiguous if the integer can be zero. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
413		if ( ! $user_tokens ) {
414		return false;
415		}
416		if ( self::JETPACK_MASTER_USER === $user_id ) {
417		$user_id = \Jetpack_Options::get_option( 'master_user' );
418		if ( ! $user_id ) {
419		return false;
420		}
421		}
422		if ( ! isset( $user_tokens[ $user_id ] ) \|\| ! $user_tokens[ $user_id ] ) {
423		return false;
424		}
425		$user_token_chunks = explode( '.', $user_tokens[ $user_id ] );
426		if ( empty( $user_token_chunks[1] ) \|\| empty( $user_token_chunks[2] ) ) {
427		return false;
428		}
429		if ( $user_id != $user_token_chunks[2] ) {
430		return false;
431		}
432		$possible_normal_tokens[] = "{$user_token_chunks[0]}.{$user_token_chunks[1]}";
433		} else {
434		$stored_blog_token = \Jetpack_Options::get_option( 'blog_token' );
435		if ( $stored_blog_token ) {
436		$possible_normal_tokens[] = $stored_blog_token;
437		}
438
439		$defined_tokens = Constants_Manager::is_defined( 'JETPACK_BLOG_TOKEN' )
440		? explode( ',', Constants_Manager::get_constant( 'JETPACK_BLOG_TOKEN' ) )
441		: array();
442
443		foreach ( $defined_tokens as $defined_token ) {
444		if ( ';' === $defined_token[0] ) {
445		$possible_special_tokens[] = $defined_token;
446		} else {
447		$possible_normal_tokens[] = $defined_token;
448		}
449		}
450		}
451
452		if ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
453		$possible_tokens = $possible_normal_tokens;
454		} else {
455		$possible_tokens = array_merge( $possible_special_tokens, $possible_normal_tokens );
456		}
457
458		if ( ! $possible_tokens ) {
459		return false;
460		}
461
462		$valid_token = false;
463
464		if ( false === $token_key ) {
465		// Use first token.
466		$valid_token = $possible_tokens[0];
467		} elseif ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
468		// Use first normal token.
469		$valid_token = $possible_tokens[0]; // $possible_tokens only contains normal tokens because of earlier check.
470		} else {
471		// Use the token matching $token_key or false if none.
472		// Ensure we check the full key.
473		$token_check = rtrim( $token_key, '.' ) . '.';
474
475		foreach ( $possible_tokens as $possible_token ) {
476		if ( hash_equals( substr( $possible_token, 0, strlen( $token_check ) ), $token_check ) ) {
477		$valid_token = $possible_token;
478		break;
479		}
480		}
481		}
482
483		if ( ! $valid_token ) {
484		return false;
485		}
486
487		return (object) array(
488		'secret' => $valid_token,
489		'external_user_id' => (int) $user_id,
490		);
491		}
492		}
493

Automattic / jetpack

Push — add/jetpack-data-methods ( d7e5a6...2c93cb )

packages/connection/src/Manager.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like