|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Jetpack XMLRPC Server. |
|
4
|
|
|
* |
|
5
|
|
|
* @package automattic/jetpack-connection |
|
6
|
|
|
*/ |
|
7
|
|
|
|
|
8
|
|
|
use Automattic\Jetpack\Connection\Client; |
|
9
|
|
|
use Automattic\Jetpack\Connection\Manager as Connection_Manager; |
|
10
|
|
|
use Automattic\Jetpack\Connection\Secrets; |
|
11
|
|
|
use Automattic\Jetpack\Connection\Tokens; |
|
12
|
|
|
use Automattic\Jetpack\Roles; |
|
13
|
|
|
use Automattic\Jetpack\Sync\Functions; |
|
14
|
|
|
use Automattic\Jetpack\Sync\Sender; |
|
15
|
|
|
|
|
16
|
|
|
/** |
|
17
|
|
|
* Just a sack of functions. Not actually an IXR_Server |
|
18
|
|
|
*/ |
|
19
|
|
|
class Jetpack_XMLRPC_Server { |
|
20
|
|
|
/** |
|
21
|
|
|
* The current error object |
|
22
|
|
|
* |
|
23
|
|
|
* @var \WP_Error |
|
24
|
|
|
*/ |
|
25
|
|
|
public $error = null; |
|
26
|
|
|
|
|
27
|
|
|
/** |
|
28
|
|
|
* The current user |
|
29
|
|
|
* |
|
30
|
|
|
* @var \WP_User |
|
31
|
|
|
*/ |
|
32
|
|
|
public $user = null; |
|
33
|
|
|
|
|
34
|
|
|
/** |
|
35
|
|
|
* The connection manager object. |
|
36
|
|
|
* |
|
37
|
|
|
* @var Automattic\Jetpack\Connection\Manager |
|
38
|
|
|
*/ |
|
39
|
|
|
private $connection; |
|
40
|
|
|
|
|
41
|
|
|
/** |
|
42
|
|
|
* Creates a new XMLRPC server object. |
|
43
|
|
|
*/ |
|
44
|
|
|
public function __construct() { |
|
45
|
|
|
$this->connection = new Connection_Manager(); |
|
46
|
|
|
} |
|
47
|
|
|
|
|
48
|
|
|
/** |
|
49
|
|
|
* Whitelist of the XML-RPC methods available to the Jetpack Server. If the |
|
50
|
|
|
* user is not authenticated (->login()) then the methods are never added, |
|
51
|
|
|
* so they will get a "does not exist" error. |
|
52
|
|
|
* |
|
53
|
|
|
* @param array $core_methods Core XMLRPC methods. |
|
54
|
|
|
*/ |
|
55
|
|
|
public function xmlrpc_methods( $core_methods ) { |
|
56
|
|
|
$jetpack_methods = array( |
|
57
|
|
|
'jetpack.verifyAction' => array( $this, 'verify_action' ), |
|
58
|
|
|
'jetpack.idcUrlValidation' => array( $this, 'validate_urls_for_idc_mitigation' ), |
|
59
|
|
|
'jetpack.unlinkUser' => array( $this, 'unlink_user' ), |
|
60
|
|
|
'jetpack.testConnection' => array( $this, 'test_connection' ), |
|
61
|
|
|
); |
|
62
|
|
|
|
|
63
|
|
|
$jetpack_methods = array_merge( $jetpack_methods, $this->provision_xmlrpc_methods() ); |
|
64
|
|
|
|
|
65
|
|
|
$this->user = $this->login(); |
|
|
|
|
|
|
66
|
|
|
|
|
67
|
|
|
if ( $this->user ) { |
|
68
|
|
|
$jetpack_methods = array_merge( |
|
69
|
|
|
$jetpack_methods, |
|
70
|
|
|
array( |
|
71
|
|
|
'jetpack.testAPIUserCode' => array( $this, 'test_api_user_code' ), |
|
72
|
|
|
) |
|
73
|
|
|
); |
|
74
|
|
|
|
|
75
|
|
|
if ( isset( $core_methods['metaWeblog.editPost'] ) ) { |
|
76
|
|
|
$jetpack_methods['metaWeblog.newMediaObject'] = $core_methods['metaWeblog.newMediaObject']; |
|
77
|
|
|
$jetpack_methods['jetpack.updateAttachmentParent'] = array( $this, 'update_attachment_parent' ); |
|
78
|
|
|
} |
|
79
|
|
|
|
|
80
|
|
|
/** |
|
81
|
|
|
* Filters the XML-RPC methods available to Jetpack for authenticated users. |
|
82
|
|
|
* |
|
83
|
|
|
* @since 1.1.0 |
|
84
|
|
|
* |
|
85
|
|
|
* @param array $jetpack_methods XML-RPC methods available to the Jetpack Server. |
|
86
|
|
|
* @param array $core_methods Available core XML-RPC methods. |
|
87
|
|
|
* @param \WP_User $user Information about the user authenticated in the request. |
|
88
|
|
|
*/ |
|
89
|
|
|
$jetpack_methods = apply_filters( 'jetpack_xmlrpc_methods', $jetpack_methods, $core_methods, $this->user ); |
|
|
|
|
|
|
90
|
|
|
} |
|
91
|
|
|
|
|
92
|
|
|
/** |
|
93
|
|
|
* Filters the XML-RPC methods available to Jetpack for requests signed both with a blog token or a user token. |
|
94
|
|
|
* |
|
95
|
|
|
* @since 3.0.0 |
|
96
|
|
|
* @since 9.6.0 Introduced the $user parameter. |
|
97
|
|
|
* |
|
98
|
|
|
* @param array $jetpack_methods XML-RPC methods available to the Jetpack Server. |
|
99
|
|
|
* @param array $core_methods Available core XML-RPC methods. |
|
100
|
|
|
* @param \WP_User|bool $user Information about the user authenticated in the request. False if authenticated with blog token. |
|
101
|
|
|
*/ |
|
102
|
|
|
return apply_filters( 'jetpack_xmlrpc_unauthenticated_methods', $jetpack_methods, $core_methods, $this->user ); |
|
|
|
|
|
|
103
|
|
|
} |
|
104
|
|
|
|
|
105
|
|
|
/** |
|
106
|
|
|
* Whitelist of the bootstrap XML-RPC methods |
|
107
|
|
|
*/ |
|
108
|
|
|
public function bootstrap_xmlrpc_methods() { |
|
109
|
|
|
return array( |
|
110
|
|
|
'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ), |
|
111
|
|
|
'jetpack.remoteRegister' => array( $this, 'remote_register' ), |
|
112
|
|
|
); |
|
113
|
|
|
} |
|
114
|
|
|
|
|
115
|
|
|
/** |
|
116
|
|
|
* Additional method needed for authorization calls. |
|
117
|
|
|
*/ |
|
118
|
|
|
public function authorize_xmlrpc_methods() { |
|
119
|
|
|
return array( |
|
120
|
|
|
'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ), |
|
121
|
|
|
); |
|
122
|
|
|
} |
|
123
|
|
|
|
|
124
|
|
|
/** |
|
125
|
|
|
* Remote provisioning methods. |
|
126
|
|
|
*/ |
|
127
|
|
|
public function provision_xmlrpc_methods() { |
|
128
|
|
|
return array( |
|
129
|
|
|
'jetpack.remoteRegister' => array( $this, 'remote_register' ), |
|
130
|
|
|
'jetpack.remoteProvision' => array( $this, 'remote_provision' ), |
|
131
|
|
|
'jetpack.remoteConnect' => array( $this, 'remote_connect' ), |
|
132
|
|
|
'jetpack.getUser' => array( $this, 'get_user' ), |
|
133
|
|
|
); |
|
134
|
|
|
} |
|
135
|
|
|
|
|
136
|
|
|
/** |
|
137
|
|
|
* Used to verify whether a local user exists and what role they have. |
|
138
|
|
|
* |
|
139
|
|
|
* @param int|string|array $request One of: |
|
140
|
|
|
* int|string The local User's ID, username, or email address. |
|
141
|
|
|
* array A request array containing: |
|
142
|
|
|
* 0: int|string The local User's ID, username, or email address. |
|
143
|
|
|
* |
|
144
|
|
|
* @return array|\IXR_Error Information about the user, or error if no such user found: |
|
145
|
|
|
* roles: string[] The user's rols. |
|
146
|
|
|
* login: string The user's username. |
|
147
|
|
|
* email_hash string[] The MD5 hash of the user's normalized email address. |
|
148
|
|
|
* caps string[] The user's capabilities. |
|
149
|
|
|
* allcaps string[] The user's granular capabilities, merged from role capabilities. |
|
150
|
|
|
* token_key string The Token Key of the user's Jetpack token. Empty string if none. |
|
151
|
|
|
*/ |
|
152
|
|
|
public function get_user( $request ) { |
|
153
|
|
|
$user_id = is_array( $request ) ? $request[0] : $request; |
|
154
|
|
|
|
|
155
|
|
|
if ( ! $user_id ) { |
|
156
|
|
|
return $this->error( |
|
157
|
|
|
new \WP_Error( |
|
158
|
|
|
'invalid_user', |
|
|
|
|
|
|
159
|
|
|
__( 'Invalid user identifier.', 'jetpack' ), |
|
160
|
|
|
400 |
|
161
|
|
|
), |
|
162
|
|
|
'get_user' |
|
163
|
|
|
); |
|
164
|
|
|
} |
|
165
|
|
|
|
|
166
|
|
|
$user = $this->get_user_by_anything( $user_id ); |
|
167
|
|
|
|
|
168
|
|
|
if ( ! $user ) { |
|
169
|
|
|
return $this->error( |
|
170
|
|
|
new \WP_Error( |
|
171
|
|
|
'user_unknown', |
|
|
|
|
|
|
172
|
|
|
__( 'User not found.', 'jetpack' ), |
|
173
|
|
|
404 |
|
174
|
|
|
), |
|
175
|
|
|
'get_user' |
|
176
|
|
|
); |
|
177
|
|
|
} |
|
178
|
|
|
|
|
179
|
|
|
$user_token = ( new Tokens() )->get_access_token( $user->ID ); |
|
180
|
|
|
|
|
181
|
|
|
if ( $user_token ) { |
|
182
|
|
|
list( $user_token_key ) = explode( '.', $user_token->secret ); |
|
183
|
|
|
if ( $user_token_key === $user_token->secret ) { |
|
184
|
|
|
$user_token_key = ''; |
|
185
|
|
|
} |
|
186
|
|
|
} else { |
|
187
|
|
|
$user_token_key = ''; |
|
188
|
|
|
} |
|
189
|
|
|
|
|
190
|
|
|
return array( |
|
191
|
|
|
'id' => $user->ID, |
|
192
|
|
|
'login' => $user->user_login, |
|
193
|
|
|
'email_hash' => md5( strtolower( trim( $user->user_email ) ) ), |
|
194
|
|
|
'roles' => $user->roles, |
|
195
|
|
|
'caps' => $user->caps, |
|
196
|
|
|
'allcaps' => $user->allcaps, |
|
197
|
|
|
'token_key' => $user_token_key, |
|
198
|
|
|
); |
|
199
|
|
|
} |
|
200
|
|
|
|
|
201
|
|
|
/** |
|
202
|
|
|
* Remote authorization XMLRPC method handler. |
|
203
|
|
|
* |
|
204
|
|
|
* @param array $request the request. |
|
205
|
|
|
*/ |
|
206
|
|
|
public function remote_authorize( $request ) { |
|
207
|
|
|
$user = get_user_by( 'id', $request['state'] ); |
|
208
|
|
|
|
|
209
|
|
|
/** |
|
210
|
|
|
* Happens on various request handling events in the Jetpack XMLRPC server. |
|
211
|
|
|
* The action combines several types of events: |
|
212
|
|
|
* - remote_authorize |
|
213
|
|
|
* - remote_provision |
|
214
|
|
|
* - get_user. |
|
215
|
|
|
* |
|
216
|
|
|
* @since 8.0.0 |
|
217
|
|
|
* |
|
218
|
|
|
* @param String $action the action name, i.e., 'remote_authorize'. |
|
219
|
|
|
* @param String $stage the execution stage, can be 'begin', 'success', 'error', etc. |
|
220
|
|
|
* @param array $parameters extra parameters from the event. |
|
221
|
|
|
* @param WP_User $user the acting user. |
|
222
|
|
|
*/ |
|
223
|
|
|
do_action( 'jetpack_xmlrpc_server_event', 'remote_authorize', 'begin', array(), $user ); |
|
224
|
|
|
|
|
225
|
|
|
foreach ( array( 'secret', 'state', 'redirect_uri', 'code' ) as $required ) { |
|
226
|
|
|
if ( ! isset( $request[ $required ] ) || empty( $request[ $required ] ) ) { |
|
227
|
|
|
return $this->error( |
|
228
|
|
|
new \WP_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ), |
|
|
|
|
|
|
229
|
|
|
'remote_authorize' |
|
230
|
|
|
); |
|
231
|
|
|
} |
|
232
|
|
|
} |
|
233
|
|
|
|
|
234
|
|
|
if ( ! $user ) { |
|
235
|
|
|
return $this->error( new \WP_Error( 'user_unknown', 'User not found.', 404 ), 'remote_authorize' ); |
|
|
|
|
|
|
236
|
|
|
} |
|
237
|
|
|
|
|
238
|
|
|
if ( $this->connection->has_connected_owner() && $this->connection->is_user_connected( $request['state'] ) ) { |
|
239
|
|
|
return $this->error( new \WP_Error( 'already_connected', 'User already connected.', 400 ), 'remote_authorize' ); |
|
|
|
|
|
|
240
|
|
|
} |
|
241
|
|
|
|
|
242
|
|
|
$verified = $this->verify_action( array( 'authorize', $request['secret'], $request['state'] ) ); |
|
243
|
|
|
|
|
244
|
|
|
if ( is_a( $verified, 'IXR_Error' ) ) { |
|
245
|
|
|
return $this->error( $verified, 'remote_authorize' ); |
|
246
|
|
|
} |
|
247
|
|
|
|
|
248
|
|
|
wp_set_current_user( $request['state'] ); |
|
249
|
|
|
|
|
250
|
|
|
$result = $this->connection->authorize( $request ); |
|
251
|
|
|
|
|
252
|
|
|
if ( is_wp_error( $result ) ) { |
|
253
|
|
|
return $this->error( $result, 'remote_authorize' ); |
|
|
|
|
|
|
254
|
|
|
} |
|
255
|
|
|
|
|
256
|
|
|
// This action is documented in class.jetpack-xmlrpc-server.php. |
|
257
|
|
|
do_action( 'jetpack_xmlrpc_server_event', 'remote_authorize', 'success' ); |
|
258
|
|
|
|
|
259
|
|
|
return array( |
|
260
|
|
|
'result' => $result, |
|
261
|
|
|
); |
|
262
|
|
|
} |
|
263
|
|
|
|
|
264
|
|
|
/** |
|
265
|
|
|
* This XML-RPC method is called from the /jpphp/provision endpoint on WPCOM in order to |
|
266
|
|
|
* register this site so that a plan can be provisioned. |
|
267
|
|
|
* |
|
268
|
|
|
* @param array $request An array containing at minimum nonce and local_user keys. |
|
269
|
|
|
* |
|
270
|
|
|
* @return \WP_Error|array |
|
271
|
|
|
*/ |
|
272
|
|
|
public function remote_register( $request ) { |
|
273
|
|
|
// This action is documented in class.jetpack-xmlrpc-server.php. |
|
274
|
|
|
do_action( 'jetpack_xmlrpc_server_event', 'remote_register', 'begin', array() ); |
|
275
|
|
|
|
|
276
|
|
|
$user = $this->fetch_and_verify_local_user( $request ); |
|
277
|
|
|
|
|
278
|
|
|
if ( ! $user ) { |
|
279
|
|
|
return $this->error( |
|
280
|
|
|
new WP_Error( 'input_error', __( 'Valid user is required', 'jetpack' ), 400 ), |
|
|
|
|
|
|
281
|
|
|
'remote_register' |
|
282
|
|
|
); |
|
283
|
|
|
} |
|
284
|
|
|
|
|
285
|
|
|
if ( is_wp_error( $user ) || is_a( $user, 'IXR_Error' ) ) { |
|
286
|
|
|
return $this->error( $user, 'remote_register' ); |
|
287
|
|
|
} |
|
288
|
|
|
|
|
289
|
|
|
if ( empty( $request['nonce'] ) ) { |
|
290
|
|
|
return $this->error( |
|
291
|
|
|
new \WP_Error( |
|
292
|
|
|
'nonce_missing', |
|
|
|
|
|
|
293
|
|
|
__( 'The required "nonce" parameter is missing.', 'jetpack' ), |
|
294
|
|
|
400 |
|
295
|
|
|
), |
|
296
|
|
|
'remote_register' |
|
297
|
|
|
); |
|
298
|
|
|
} |
|
299
|
|
|
|
|
300
|
|
|
$nonce = sanitize_text_field( $request['nonce'] ); |
|
301
|
|
|
unset( $request['nonce'] ); |
|
302
|
|
|
|
|
303
|
|
|
$api_url = $this->connection->api_url( 'partner_provision_nonce_check' ); |
|
304
|
|
|
$response = Client::_wp_remote_request( |
|
305
|
|
|
esc_url_raw( add_query_arg( 'nonce', $nonce, $api_url ) ), |
|
306
|
|
|
array( 'method' => 'GET' ), |
|
307
|
|
|
true |
|
308
|
|
|
); |
|
309
|
|
|
|
|
310
|
|
|
if ( |
|
311
|
|
|
200 !== wp_remote_retrieve_response_code( $response ) || |
|
312
|
|
|
'OK' !== trim( wp_remote_retrieve_body( $response ) ) |
|
313
|
|
|
) { |
|
314
|
|
|
return $this->error( |
|
315
|
|
|
new \WP_Error( |
|
316
|
|
|
'invalid_nonce', |
|
|
|
|
|
|
317
|
|
|
__( 'There was an issue validating this request.', 'jetpack' ), |
|
318
|
|
|
400 |
|
319
|
|
|
), |
|
320
|
|
|
'remote_register' |
|
321
|
|
|
); |
|
322
|
|
|
} |
|
323
|
|
|
|
|
324
|
|
|
if ( ! Jetpack_Options::get_option( 'id' ) || ! ( new Tokens() )->get_access_token() || ! empty( $request['force'] ) ) { |
|
325
|
|
|
wp_set_current_user( $user->ID ); |
|
326
|
|
|
|
|
327
|
|
|
// This code mostly copied from Jetpack::admin_page_load. |
|
328
|
|
|
Jetpack::maybe_set_version_option(); |
|
329
|
|
|
if ( isset( $request['from'] ) ) { |
|
330
|
|
|
$this->connection->add_register_request_param( 'from', (string) $request['from'] ); |
|
331
|
|
|
} |
|
332
|
|
|
$registered = $this->connection->try_registration(); |
|
333
|
|
|
if ( is_wp_error( $registered ) ) { |
|
334
|
|
|
return $this->error( $registered, 'remote_register' ); |
|
|
|
|
|
|
335
|
|
|
} elseif ( ! $registered ) { |
|
336
|
|
|
return $this->error( |
|
337
|
|
|
new \WP_Error( |
|
338
|
|
|
'registration_error', |
|
|
|
|
|
|
339
|
|
|
__( 'There was an unspecified error registering the site', 'jetpack' ), |
|
340
|
|
|
400 |
|
341
|
|
|
), |
|
342
|
|
|
'remote_register' |
|
343
|
|
|
); |
|
344
|
|
|
} |
|
345
|
|
|
} |
|
346
|
|
|
|
|
347
|
|
|
// This action is documented in class.jetpack-xmlrpc-server.php. |
|
348
|
|
|
do_action( 'jetpack_xmlrpc_server_event', 'remote_register', 'success' ); |
|
349
|
|
|
|
|
350
|
|
|
return array( |
|
351
|
|
|
'client_id' => Jetpack_Options::get_option( 'id' ), |
|
352
|
|
|
); |
|
353
|
|
|
} |
|
354
|
|
|
|
|
355
|
|
|
/** |
|
356
|
|
|
* This XML-RPC method is called from the /jpphp/provision endpoint on WPCOM in order to |
|
357
|
|
|
* register this site so that a plan can be provisioned. |
|
358
|
|
|
* |
|
359
|
|
|
* @param array $request An array containing at minimum a nonce key and a local_username key. |
|
360
|
|
|
* |
|
361
|
|
|
* @return \WP_Error|array |
|
362
|
|
|
*/ |
|
363
|
|
|
public function remote_provision( $request ) { |
|
364
|
|
|
$user = $this->fetch_and_verify_local_user( $request ); |
|
365
|
|
|
|
|
366
|
|
|
if ( ! $user ) { |
|
367
|
|
|
return $this->error( |
|
368
|
|
|
new WP_Error( 'input_error', __( 'Valid user is required', 'jetpack' ), 400 ), |
|
|
|
|
|
|
369
|
|
|
'remote_provision' |
|
370
|
|
|
); |
|
371
|
|
|
} |
|
372
|
|
|
|
|
373
|
|
|
if ( is_wp_error( $user ) || is_a( $user, 'IXR_Error' ) ) { |
|
374
|
|
|
return $this->error( $user, 'remote_provision' ); |
|
375
|
|
|
} |
|
376
|
|
|
|
|
377
|
|
|
$site_icon = get_site_icon_url(); |
|
378
|
|
|
|
|
379
|
|
|
$auto_enable_sso = ( ! $this->connection->has_connected_owner() || Jetpack::is_module_active( 'sso' ) ); |
|
380
|
|
|
|
|
381
|
|
|
/** This filter is documented in class.jetpack-cli.php */ |
|
382
|
|
View Code Duplication |
if ( apply_filters( 'jetpack_start_enable_sso', $auto_enable_sso ) ) { |
|
383
|
|
|
$redirect_uri = add_query_arg( |
|
384
|
|
|
array( |
|
385
|
|
|
'action' => 'jetpack-sso', |
|
386
|
|
|
'redirect_to' => rawurlencode( admin_url() ), |
|
387
|
|
|
), |
|
388
|
|
|
wp_login_url() // TODO: come back to Jetpack dashboard? |
|
389
|
|
|
); |
|
390
|
|
|
} else { |
|
391
|
|
|
$redirect_uri = admin_url(); |
|
392
|
|
|
} |
|
393
|
|
|
|
|
394
|
|
|
// Generate secrets. |
|
395
|
|
|
$roles = new Roles(); |
|
396
|
|
|
$role = $roles->translate_user_to_role( $user ); |
|
397
|
|
|
$secrets = ( new Secrets() )->generate( 'authorize', $user->ID ); |
|
398
|
|
|
|
|
399
|
|
|
$response = array( |
|
400
|
|
|
'jp_version' => JETPACK__VERSION, |
|
401
|
|
|
'redirect_uri' => $redirect_uri, |
|
402
|
|
|
'user_id' => $user->ID, |
|
403
|
|
|
'user_email' => $user->user_email, |
|
404
|
|
|
'user_login' => $user->user_login, |
|
405
|
|
|
'scope' => $this->connection->sign_role( $role, $user->ID ), |
|
406
|
|
|
'secret' => $secrets['secret_1'], |
|
407
|
|
|
'is_active' => $this->connection->has_connected_owner(), |
|
408
|
|
|
); |
|
409
|
|
|
|
|
410
|
|
|
if ( $site_icon ) { |
|
411
|
|
|
$response['site_icon'] = $site_icon; |
|
412
|
|
|
} |
|
413
|
|
|
|
|
414
|
|
|
/** |
|
415
|
|
|
* Filters the response of the remote_provision XMLRPC method |
|
416
|
|
|
* |
|
417
|
|
|
* @param array $response The response. |
|
418
|
|
|
* @param array $request An array containing at minimum a nonce key and a local_username key. |
|
419
|
|
|
* @param \WP_User $user The local authenticated user. |
|
420
|
|
|
* |
|
421
|
|
|
* @since 9.8.0 |
|
422
|
|
|
*/ |
|
423
|
|
|
$response = apply_filters( 'jetpack_remote_xmlrpc_provision_response', $response, $request, $user ); |
|
|
|
|
|
|
424
|
|
|
|
|
425
|
|
|
return $response; |
|
426
|
|
|
} |
|
427
|
|
|
|
|
428
|
|
|
/** |
|
429
|
|
|
* Given an array containing a local user identifier and a nonce, will attempt to fetch and set |
|
430
|
|
|
* an access token for the given user. |
|
431
|
|
|
* |
|
432
|
|
|
* @param array $request An array containing local_user and nonce keys at minimum. |
|
433
|
|
|
* @param \IXR_Client $ixr_client The client object, optional. |
|
|
|
|
|
|
434
|
|
|
* @return mixed |
|
435
|
|
|
*/ |
|
436
|
|
|
public function remote_connect( $request, $ixr_client = false ) { |
|
437
|
|
|
if ( $this->connection->has_connected_owner() ) { |
|
438
|
|
|
return $this->error( |
|
439
|
|
|
new WP_Error( |
|
440
|
|
|
'already_connected', |
|
|
|
|
|
|
441
|
|
|
__( 'Jetpack is already connected.', 'jetpack' ), |
|
442
|
|
|
400 |
|
443
|
|
|
), |
|
444
|
|
|
'remote_connect' |
|
445
|
|
|
); |
|
446
|
|
|
} |
|
447
|
|
|
|
|
448
|
|
|
$user = $this->fetch_and_verify_local_user( $request ); |
|
449
|
|
|
|
|
450
|
|
|
if ( ! $user || is_wp_error( $user ) || is_a( $user, 'IXR_Error' ) ) { |
|
451
|
|
|
return $this->error( |
|
452
|
|
|
new WP_Error( |
|
453
|
|
|
'input_error', |
|
|
|
|
|
|
454
|
|
|
__( 'Valid user is required.', 'jetpack' ), |
|
455
|
|
|
400 |
|
456
|
|
|
), |
|
457
|
|
|
'remote_connect' |
|
458
|
|
|
); |
|
459
|
|
|
} |
|
460
|
|
|
|
|
461
|
|
|
if ( empty( $request['nonce'] ) ) { |
|
462
|
|
|
return $this->error( |
|
463
|
|
|
new WP_Error( |
|
464
|
|
|
'input_error', |
|
|
|
|
|
|
465
|
|
|
__( 'A non-empty nonce must be supplied.', 'jetpack' ), |
|
466
|
|
|
400 |
|
467
|
|
|
), |
|
468
|
|
|
'remote_connect' |
|
469
|
|
|
); |
|
470
|
|
|
} |
|
471
|
|
|
|
|
472
|
|
|
if ( ! $ixr_client ) { |
|
473
|
|
|
$ixr_client = new Jetpack_IXR_Client(); |
|
474
|
|
|
} |
|
475
|
|
|
// TODO: move this query into the Tokens class? |
|
476
|
|
|
$ixr_client->query( |
|
477
|
|
|
'jetpack.getUserAccessToken', |
|
478
|
|
|
array( |
|
479
|
|
|
'nonce' => sanitize_text_field( $request['nonce'] ), |
|
480
|
|
|
'external_user_id' => $user->ID, |
|
481
|
|
|
) |
|
482
|
|
|
); |
|
483
|
|
|
|
|
484
|
|
|
$token = $ixr_client->isError() ? false : $ixr_client->getResponse(); |
|
485
|
|
|
if ( empty( $token ) ) { |
|
486
|
|
|
return $this->error( |
|
487
|
|
|
new WP_Error( |
|
488
|
|
|
'token_fetch_failed', |
|
|
|
|
|
|
489
|
|
|
__( 'Failed to fetch user token from WordPress.com.', 'jetpack' ), |
|
490
|
|
|
400 |
|
491
|
|
|
), |
|
492
|
|
|
'remote_connect' |
|
493
|
|
|
); |
|
494
|
|
|
} |
|
495
|
|
|
$token = sanitize_text_field( $token ); |
|
496
|
|
|
|
|
497
|
|
|
( new Tokens() )->update_user_token( $user->ID, sprintf( '%s.%d', $token, $user->ID ), true ); |
|
498
|
|
|
|
|
499
|
|
|
/** |
|
500
|
|
|
* Hook fired at the end of the jetpack.remoteConnect XML-RPC callback |
|
501
|
|
|
* |
|
502
|
|
|
* @since 9.8.0 |
|
503
|
|
|
*/ |
|
504
|
|
|
do_action( 'jetpack_remote_connect_end' ); |
|
505
|
|
|
|
|
506
|
|
|
return $this->connection->has_connected_owner(); |
|
507
|
|
|
} |
|
508
|
|
|
|
|
509
|
|
|
/** |
|
510
|
|
|
* Getter for the local user to act as. |
|
511
|
|
|
* |
|
512
|
|
|
* @param array $request the current request data. |
|
513
|
|
|
*/ |
|
514
|
|
|
private function fetch_and_verify_local_user( $request ) { |
|
515
|
|
|
if ( empty( $request['local_user'] ) ) { |
|
516
|
|
|
return $this->error( |
|
517
|
|
|
new \WP_Error( |
|
518
|
|
|
'local_user_missing', |
|
|
|
|
|
|
519
|
|
|
__( 'The required "local_user" parameter is missing.', 'jetpack' ), |
|
520
|
|
|
400 |
|
521
|
|
|
), |
|
522
|
|
|
'remote_provision' |
|
523
|
|
|
); |
|
524
|
|
|
} |
|
525
|
|
|
|
|
526
|
|
|
// Local user is used to look up by login, email or ID. |
|
527
|
|
|
$local_user_info = $request['local_user']; |
|
528
|
|
|
|
|
529
|
|
|
return $this->get_user_by_anything( $local_user_info ); |
|
530
|
|
|
} |
|
531
|
|
|
|
|
532
|
|
|
/** |
|
533
|
|
|
* Gets the user object by its data. |
|
534
|
|
|
* |
|
535
|
|
|
* @param string $user_id can be any identifying user data. |
|
536
|
|
|
*/ |
|
537
|
|
|
private function get_user_by_anything( $user_id ) { |
|
538
|
|
|
$user = get_user_by( 'login', $user_id ); |
|
539
|
|
|
|
|
540
|
|
|
if ( ! $user ) { |
|
541
|
|
|
$user = get_user_by( 'email', $user_id ); |
|
542
|
|
|
} |
|
543
|
|
|
|
|
544
|
|
|
if ( ! $user ) { |
|
545
|
|
|
$user = get_user_by( 'ID', $user_id ); |
|
546
|
|
|
} |
|
547
|
|
|
|
|
548
|
|
|
return $user; |
|
549
|
|
|
} |
|
550
|
|
|
|
|
551
|
|
|
/** |
|
552
|
|
|
* Possible error_codes: |
|
553
|
|
|
* |
|
554
|
|
|
* - verify_secret_1_missing |
|
555
|
|
|
* - verify_secret_1_malformed |
|
556
|
|
|
* - verify_secrets_missing: verification secrets are not found in database |
|
557
|
|
|
* - verify_secrets_incomplete: verification secrets are only partially found in database |
|
558
|
|
|
* - verify_secrets_expired: verification secrets have expired |
|
559
|
|
|
* - verify_secrets_mismatch: stored secret_1 does not match secret_1 sent by Jetpack.WordPress.com |
|
560
|
|
|
* - state_missing: required parameter of state not found |
|
561
|
|
|
* - state_malformed: state is not a digit |
|
562
|
|
|
* - invalid_state: state in request does not match the stored state |
|
563
|
|
|
* |
|
564
|
|
|
* The 'authorize' and 'register' actions have additional error codes |
|
565
|
|
|
* |
|
566
|
|
|
* state_missing: a state ( user id ) was not supplied |
|
567
|
|
|
* state_malformed: state is not the correct data type |
|
568
|
|
|
* invalid_state: supplied state does not match the stored state |
|
569
|
|
|
* |
|
570
|
|
|
* @param array $params action An array of 3 parameters: |
|
571
|
|
|
* [0]: string action. Possible values are `authorize`, `publicize` and `register`. |
|
572
|
|
|
* [1]: string secret_1. |
|
573
|
|
|
* [2]: int state. |
|
574
|
|
|
* @return \IXR_Error|string IXR_Error on failure, secret_2 on success. |
|
575
|
|
|
*/ |
|
576
|
|
|
public function verify_action( $params ) { |
|
577
|
|
|
$action = isset( $params[0] ) ? $params[0] : ''; |
|
578
|
|
|
$verify_secret = isset( $params[1] ) ? $params[1] : ''; |
|
579
|
|
|
$state = isset( $params[2] ) ? $params[2] : ''; |
|
580
|
|
|
|
|
581
|
|
|
$result = ( new Secrets() )->verify( $action, $verify_secret, $state ); |
|
582
|
|
|
|
|
583
|
|
|
if ( is_wp_error( $result ) ) { |
|
584
|
|
|
return $this->error( $result ); |
|
|
|
|
|
|
585
|
|
|
} |
|
586
|
|
|
|
|
587
|
|
|
return $result; |
|
588
|
|
|
} |
|
589
|
|
|
|
|
590
|
|
|
/** |
|
591
|
|
|
* Wrapper for wp_authenticate( $username, $password ); |
|
592
|
|
|
* |
|
593
|
|
|
* @return \WP_User|bool |
|
594
|
|
|
*/ |
|
595
|
|
|
public function login() { |
|
596
|
|
|
$this->connection->require_jetpack_authentication(); |
|
597
|
|
|
$user = wp_authenticate( 'username', 'password' ); |
|
598
|
|
|
if ( is_wp_error( $user ) ) { |
|
599
|
|
|
if ( 'authentication_failed' === $user->get_error_code() ) { // Generic error could mean most anything. |
|
600
|
|
|
$this->error = new \WP_Error( 'invalid_request', 'Invalid Request', 403 ); |
|
|
|
|
|
|
601
|
|
|
} else { |
|
602
|
|
|
$this->error = $user; |
|
603
|
|
|
} |
|
604
|
|
|
return false; |
|
605
|
|
|
} elseif ( ! $user ) { // Shouldn't happen. |
|
606
|
|
|
$this->error = new \WP_Error( 'invalid_request', 'Invalid Request', 403 ); |
|
|
|
|
|
|
607
|
|
|
return false; |
|
608
|
|
|
} |
|
609
|
|
|
|
|
610
|
|
|
wp_set_current_user( $user->ID ); |
|
611
|
|
|
|
|
612
|
|
|
return $user; |
|
613
|
|
|
} |
|
614
|
|
|
|
|
615
|
|
|
/** |
|
616
|
|
|
* Returns the current error as an \IXR_Error |
|
617
|
|
|
* |
|
618
|
|
|
* @param \WP_Error|\IXR_Error $error The error object, optional. |
|
|
|
|
|
|
619
|
|
|
* @param string $event_name The event name. |
|
|
|
|
|
|
620
|
|
|
* @param \WP_User $user The user object. |
|
|
|
|
|
|
621
|
|
|
* @return bool|\IXR_Error |
|
622
|
|
|
*/ |
|
623
|
|
|
public function error( $error = null, $event_name = null, $user = null ) { |
|
624
|
|
|
if ( null !== $event_name ) { |
|
625
|
|
|
// This action is documented in class.jetpack-xmlrpc-server.php. |
|
626
|
|
|
do_action( 'jetpack_xmlrpc_server_event', $event_name, 'fail', $error, $user ); |
|
627
|
|
|
} |
|
628
|
|
|
|
|
629
|
|
|
if ( ! is_null( $error ) ) { |
|
630
|
|
|
$this->error = $error; |
|
|
|
|
|
|
631
|
|
|
} |
|
632
|
|
|
|
|
633
|
|
|
if ( is_wp_error( $this->error ) ) { |
|
634
|
|
|
$code = $this->error->get_error_data(); |
|
|
|
|
|
|
635
|
|
|
if ( ! $code ) { |
|
636
|
|
|
$code = -10520; |
|
637
|
|
|
} |
|
638
|
|
|
$message = sprintf( 'Jetpack: [%s] %s', $this->error->get_error_code(), $this->error->get_error_message() ); |
|
|
|
|
|
|
639
|
|
|
return new \IXR_Error( $code, $message ); |
|
640
|
|
|
} elseif ( is_a( $this->error, 'IXR_Error' ) ) { |
|
641
|
|
|
return $this->error; |
|
642
|
|
|
} |
|
643
|
|
|
|
|
644
|
|
|
return false; |
|
645
|
|
|
} |
|
646
|
|
|
|
|
647
|
|
|
/* API Methods */ |
|
648
|
|
|
|
|
649
|
|
|
/** |
|
650
|
|
|
* Just authenticates with the given Jetpack credentials. |
|
651
|
|
|
* |
|
652
|
|
|
* @return string A success string. The Jetpack plugin filters it and make it return the Jetpack plugin version. |
|
653
|
|
|
*/ |
|
654
|
|
|
public function test_connection() { |
|
655
|
|
|
/** |
|
656
|
|
|
* Filters the successful response of the XMLRPC test_connection method |
|
657
|
|
|
* |
|
658
|
|
|
* @param string $response The response string. |
|
659
|
|
|
*/ |
|
660
|
|
|
return apply_filters( 'jetpack_xmlrpc_test_connection_response', 'success' ); |
|
661
|
|
|
} |
|
662
|
|
|
|
|
663
|
|
|
/** |
|
664
|
|
|
* Test the API user code. |
|
665
|
|
|
* |
|
666
|
|
|
* @param array $args arguments identifying the test site. |
|
667
|
|
|
*/ |
|
668
|
|
|
public function test_api_user_code( $args ) { |
|
669
|
|
|
$client_id = (int) $args[0]; |
|
670
|
|
|
$user_id = (int) $args[1]; |
|
671
|
|
|
$nonce = (string) $args[2]; |
|
672
|
|
|
$verify = (string) $args[3]; |
|
673
|
|
|
|
|
674
|
|
|
if ( ! $client_id || ! $user_id || ! strlen( $nonce ) || 32 !== strlen( $verify ) ) { |
|
675
|
|
|
return false; |
|
676
|
|
|
} |
|
677
|
|
|
|
|
678
|
|
|
$user = get_user_by( 'id', $user_id ); |
|
679
|
|
|
if ( ! $user || is_wp_error( $user ) ) { |
|
680
|
|
|
return false; |
|
681
|
|
|
} |
|
682
|
|
|
|
|
683
|
|
|
/* phpcs:ignore |
|
684
|
|
|
debugging |
|
685
|
|
|
error_log( "CLIENT: $client_id" ); |
|
686
|
|
|
error_log( "USER: $user_id" ); |
|
687
|
|
|
error_log( "NONCE: $nonce" ); |
|
688
|
|
|
error_log( "VERIFY: $verify" ); |
|
689
|
|
|
*/ |
|
690
|
|
|
|
|
691
|
|
|
$jetpack_token = ( new Tokens() )->get_access_token( $user_id ); |
|
692
|
|
|
|
|
693
|
|
|
$api_user_code = get_user_meta( $user_id, "jetpack_json_api_$client_id", true ); |
|
694
|
|
|
if ( ! $api_user_code ) { |
|
695
|
|
|
return false; |
|
696
|
|
|
} |
|
697
|
|
|
|
|
698
|
|
|
$hmac = hash_hmac( |
|
699
|
|
|
'md5', |
|
700
|
|
|
json_encode( // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode |
|
701
|
|
|
(object) array( |
|
702
|
|
|
'client_id' => (int) $client_id, |
|
703
|
|
|
'user_id' => (int) $user_id, |
|
704
|
|
|
'nonce' => (string) $nonce, |
|
705
|
|
|
'code' => (string) $api_user_code, |
|
706
|
|
|
) |
|
707
|
|
|
), |
|
708
|
|
|
$jetpack_token->secret |
|
709
|
|
|
); |
|
710
|
|
|
|
|
711
|
|
|
if ( ! hash_equals( $hmac, $verify ) ) { |
|
712
|
|
|
return false; |
|
713
|
|
|
} |
|
714
|
|
|
|
|
715
|
|
|
return $user_id; |
|
716
|
|
|
} |
|
717
|
|
|
|
|
718
|
|
|
/** |
|
719
|
|
|
* Unlink a user from WordPress.com |
|
720
|
|
|
* |
|
721
|
|
|
* When the request is done without any parameter, this XMLRPC callback gets an empty array as input. |
|
722
|
|
|
* |
|
723
|
|
|
* If $user_id is not provided, it will try to disconnect the current logged in user. This will fail if called by the Master User. |
|
724
|
|
|
* |
|
725
|
|
|
* If $user_id is is provided, it will try to disconnect the informed user, even if it's the Master User. |
|
726
|
|
|
* |
|
727
|
|
|
* @param mixed $user_id The user ID to disconnect from this site. |
|
728
|
|
|
*/ |
|
729
|
|
|
public function unlink_user( $user_id = array() ) { |
|
730
|
|
|
$user_id = (int) $user_id; |
|
731
|
|
|
if ( $user_id < 1 ) { |
|
732
|
|
|
$user_id = null; |
|
733
|
|
|
} |
|
734
|
|
|
/** |
|
735
|
|
|
* Fired when we want to log an event to the Jetpack event log. |
|
736
|
|
|
* |
|
737
|
|
|
* @since 7.7.0 |
|
738
|
|
|
* |
|
739
|
|
|
* @param string $code Unique name for the event. |
|
740
|
|
|
* @param string $data Optional data about the event. |
|
741
|
|
|
*/ |
|
742
|
|
|
do_action( 'jetpack_event_log', 'unlink' ); |
|
743
|
|
|
return $this->connection->disconnect_user( |
|
744
|
|
|
$user_id, |
|
745
|
|
|
(bool) $user_id |
|
746
|
|
|
); |
|
747
|
|
|
} |
|
748
|
|
|
|
|
749
|
|
|
/** |
|
750
|
|
|
* Returns any object that is able to be synced. |
|
751
|
|
|
* |
|
752
|
|
|
* @deprecated since 7.8.0 |
|
753
|
|
|
* @see Automattic\Jetpack\Sync\Sender::sync_object() |
|
754
|
|
|
* |
|
755
|
|
|
* @param array $args the synchronized object parameters. |
|
756
|
|
|
* @return string Encoded sync object. |
|
757
|
|
|
*/ |
|
758
|
|
|
public function sync_object( $args ) { |
|
759
|
|
|
_deprecated_function( __METHOD__, 'jetpack-7.8', 'Automattic\\Jetpack\\Sync\\Sender::sync_object' ); |
|
760
|
|
|
return Sender::get_instance()->sync_object( $args ); |
|
761
|
|
|
} |
|
762
|
|
|
|
|
763
|
|
|
/** |
|
764
|
|
|
* Returns the home URL and site URL for the current site which can be used on the WPCOM side for |
|
765
|
|
|
* IDC mitigation to decide whether sync should be allowed if the home and siteurl values differ between WPCOM |
|
766
|
|
|
* and the remote Jetpack site. |
|
767
|
|
|
* |
|
768
|
|
|
* @return array |
|
769
|
|
|
*/ |
|
770
|
|
|
public function validate_urls_for_idc_mitigation() { |
|
771
|
|
|
return array( |
|
772
|
|
|
'home' => Functions::home_url(), |
|
773
|
|
|
'siteurl' => Functions::site_url(), |
|
774
|
|
|
); |
|
775
|
|
|
} |
|
776
|
|
|
|
|
777
|
|
|
/** |
|
778
|
|
|
* Updates the attachment parent object. |
|
779
|
|
|
* |
|
780
|
|
|
* @param array $args attachment and parent identifiers. |
|
781
|
|
|
*/ |
|
782
|
|
|
public function update_attachment_parent( $args ) { |
|
783
|
|
|
$attachment_id = (int) $args[0]; |
|
784
|
|
|
$parent_id = (int) $args[1]; |
|
785
|
|
|
|
|
786
|
|
|
return wp_update_post( |
|
787
|
|
|
array( |
|
788
|
|
|
'ID' => $attachment_id, |
|
789
|
|
|
'post_parent' => $parent_id, |
|
790
|
|
|
) |
|
791
|
|
|
); |
|
792
|
|
|
} |
|
793
|
|
|
|
|
794
|
|
|
/** |
|
795
|
|
|
* Deprecated: This method is no longer part of the Connection package and now lives on the Jetpack plugin. |
|
796
|
|
|
* |
|
797
|
|
|
* Disconnect this blog from the connected wordpress.com account |
|
798
|
|
|
* |
|
799
|
|
|
* @deprecated since 9.6.0 |
|
800
|
|
|
* @see Jetpack_XMLRPC_Methods::disconnect_blog() in the Jetpack plugin |
|
801
|
|
|
* |
|
802
|
|
|
* @return boolean |
|
803
|
|
|
*/ |
|
804
|
|
|
public function disconnect_blog() { |
|
805
|
|
|
_deprecated_function( __METHOD__, 'jetpack-9.6', 'Jetpack_XMLRPC_Methods::disconnect_blog()' ); |
|
806
|
|
|
if ( class_exists( 'Jetpack_XMLRPC_Methods' ) ) { |
|
807
|
|
|
return Jetpack_XMLRPC_Methods::disconnect_blog(); |
|
808
|
|
|
} |
|
809
|
|
|
return false; |
|
810
|
|
|
} |
|
811
|
|
|
|
|
812
|
|
|
/** |
|
813
|
|
|
* Deprecated: This method is no longer part of the Connection package and now lives on the Jetpack plugin. |
|
814
|
|
|
* |
|
815
|
|
|
* Returns what features are available. Uses the slug of the module files. |
|
816
|
|
|
* |
|
817
|
|
|
* @deprecated since 9.6.0 |
|
818
|
|
|
* @see Jetpack_XMLRPC_Methods::features_available() in the Jetpack plugin |
|
819
|
|
|
* |
|
820
|
|
|
* @return array |
|
821
|
|
|
*/ |
|
822
|
|
|
public function features_available() { |
|
823
|
|
|
_deprecated_function( __METHOD__, 'jetpack-9.6', 'Jetpack_XMLRPC_Methods::features_available()' ); |
|
824
|
|
|
if ( class_exists( 'Jetpack_XMLRPC_Methods' ) ) { |
|
825
|
|
|
return Jetpack_XMLRPC_Methods::features_available(); |
|
826
|
|
|
} |
|
827
|
|
|
return array(); |
|
828
|
|
|
} |
|
829
|
|
|
|
|
830
|
|
|
/** |
|
831
|
|
|
* Deprecated: This method is no longer part of the Connection package and now lives on the Jetpack plugin. |
|
832
|
|
|
* |
|
833
|
|
|
* Returns what features are enabled. Uses the slug of the modules files. |
|
834
|
|
|
* |
|
835
|
|
|
* @deprecated since 9.6.0 |
|
836
|
|
|
* @see Jetpack_XMLRPC_Methods::features_enabled() in the Jetpack plugin |
|
837
|
|
|
* |
|
838
|
|
|
* @return array |
|
839
|
|
|
*/ |
|
840
|
|
|
public function features_enabled() { |
|
841
|
|
|
_deprecated_function( __METHOD__, 'jetpack-9.6', 'Jetpack_XMLRPC_Methods::features_enabled()' ); |
|
842
|
|
|
if ( class_exists( 'Jetpack_XMLRPC_Methods' ) ) { |
|
843
|
|
|
return Jetpack_XMLRPC_Methods::features_enabled(); |
|
844
|
|
|
} |
|
845
|
|
|
return array(); |
|
846
|
|
|
} |
|
847
|
|
|
|
|
848
|
|
|
/** |
|
849
|
|
|
* Deprecated: This method is no longer part of the Connection package and now lives on the Jetpack plugin. |
|
850
|
|
|
* |
|
851
|
|
|
* Serve a JSON API request. |
|
852
|
|
|
* |
|
853
|
|
|
* @deprecated since 9.6.0 |
|
854
|
|
|
* @see Jetpack_XMLRPC_Methods::json_api() in the Jetpack plugin |
|
855
|
|
|
* |
|
856
|
|
|
* @param array $args request arguments. |
|
857
|
|
|
*/ |
|
858
|
|
|
public function json_api( $args = array() ) { |
|
859
|
|
|
_deprecated_function( __METHOD__, 'jetpack-9.6', 'Jetpack_XMLRPC_Methods::json_api()' ); |
|
860
|
|
|
if ( class_exists( 'Jetpack_XMLRPC_Methods' ) ) { |
|
861
|
|
|
return Jetpack_XMLRPC_Methods::json_api( $args ); |
|
862
|
|
|
} |
|
863
|
|
|
return array(); |
|
864
|
|
|
} |
|
865
|
|
|
|
|
866
|
|
|
} |
|
867
|
|
|
|
Automattic /
jetpack
Loading history...
Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly.
For example, imagine you have a variable
$accountIdthat can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to theidproperty of an instance of theAccountclass. This class holds a proper account, so the id value must no longer be false.Either this assignment is in error or a type check should be added for that assignment.