Jetpack_Client::_wp_remote_request() - Code Metrics - Inspection of "Adds a survey to the failed authorization notice" - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — enhance/failed-auth-survey ( 62d2b0 )

unknown

created 2016-03-15 15:32 UTC

Jetpack_Client::_wp_remote_request() C

↳ Parent: Jetpack_Client

Complexity

Conditions	14
Paths	17

Size

Total Lines	73
Code Lines	35

Duplication

Lines	0
Ratio	0 %

Metric	Value
dl	0
loc	73
rs	5.4367
cc	14
eloc	35
nc	17
nop	3

How to fix Long Method Complexity

<?php

class Jetpack_Client {
	const WPCOM_JSON_API_VERSION = '1.1';

	/**
	 * Makes an authorized remote request using Jetpack_Signature
	 *
	 * @return array|WP_Error WP HTTP response on success
	 */
	public static function remote_request( $args, $body = null ) {
		$defaults = array(
			'url' => '',
			'user_id' => 0,
			'blog_id' => 0,
			'auth_location' => JETPACK_CLIENT__AUTH_LOCATION,
			'method' => 'POST',
			'timeout' => 10,
			'redirection' => 0,
		);

		$args = wp_parse_args( $args, $defaults );

		$args['blog_id'] = (int) $args['blog_id'];

		if ( 'header' != $args['auth_location'] ) {
			$args['auth_location'] = 'query_string';
		}

		$token = Jetpack_Data::get_access_token( $args['user_id'] );
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
		if ( !$token ) {
			return new Jetpack_Error( 'missing_token' );
		}

		$method = strtoupper( $args['method'] );

		$timeout = intval( $args['timeout'] );

		$redirection = $args['redirection'];

		$request = compact( 'method', 'body', 'timeout', 'redirection' );

		@list( $token_key, $secret ) = explode( '.', $token->secret );
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
		if ( empty( $token ) || empty( $secret ) ) {
			return new Jetpack_Error( 'malformed_token' );
		}

		$token_key = sprintf( '%s:%d:%d', $token_key, JETPACK__API_VERSION, $token->external_user_id );

		require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php';

		$time_diff = (int) Jetpack_Options::get_option( 'time_diff' );
		$jetpack_signature = new Jetpack_Signature( $token->secret, $time_diff );

		$timestamp = time() + $time_diff;

		if( function_exists( 'wp_generate_password' ) ) {
			$nonce = wp_generate_password( 10, false );
		} else {
			$nonce = substr( sha1( rand( 0, 1000000 ) ), 0, 10);
		}

		// Kind of annoying.  Maybe refactor Jetpack_Signature to handle body-hashing
		if ( is_null( $body ) ) {
			$body_hash = '';
		} else {
			if ( !is_string( $body ) ) {
				return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
			}
			$body_hash = jetpack_sha1_base64( $body );
		}

		$auth = array(
			'token' => $token_key,
			'timestamp' => $timestamp,
			'nonce' => $nonce,
			'body-hash' => $body_hash,
		);

		if ( false !== strpos( $args['url'], 'xmlrpc.php' ) ) {
			$url_args = array(
				'for'           => 'jetpack',
				'wpcom_blog_id' => Jetpack_Options::get_option( 'id' ),
			);
		} else {
			$url_args = array();
		}

		if ( 'header' != $args['auth_location'] ) {
			$url_args += $auth;
		}

		$url = add_query_arg( urlencode_deep( $url_args ), $args['url'] );
		$url = Jetpack::fix_url_for_bad_hosts( $url );

		$signature = $jetpack_signature->sign_request( $token_key, $timestamp, $nonce, $body_hash, $method, $url, $body, false );

		if ( !$signature || is_wp_error( $signature ) ) {
			return $signature;
		}

		// Send an Authorization header so various caches/proxies do the right thing
		$auth['signature'] = $signature;
		$auth['version'] = JETPACK__VERSION;
		$header_pieces = array();
		foreach ( $auth as $key => $value ) {
			$header_pieces[] = sprintf( '%s="%s"', $key, $value );
		}
		$request['headers'] = array(
			'Authorization' => "X_JETPACK " . join( ' ', $header_pieces ),
		);

		// Make sure we keep the host when we do JETPACK__WPCOM_JSON_API_HOST requests.
		$host = parse_url( $url, PHP_URL_HOST );
		if ( $host === JETPACK__WPCOM_JSON_API_HOST ) {
			$request['headers']['Host'] = 'public-api.wordpress.com';
		}

		if ( 'header' != $args['auth_location'] ) {
			$url = add_query_arg( 'signature', urlencode( $signature ), $url );
		}

		return Jetpack_Client::_wp_remote_request( $url, $request );
	}

	/**
	 * Wrapper for wp_remote_request().  Turns off SSL verification for certain SSL errors.
	 * This is lame, but many, many, many hosts have misconfigured SSL.
	 *
	 * When Jetpack is registered, the jetpack_fallback_no_verify_ssl_certs option is set to the current time if:
	 * 1. a certificate error is found AND
	 * 2. not verifying the certificate works around the problem.
	 *
	 * The option is checked on each request.
	 *
	 * @internal
	 * @see Jetpack::fix_url_for_bad_hosts()
	 *
	 * @return array|WP_Error WP HTTP response on success
	 */
	public static function _wp_remote_request( $url, $args, $set_fallback = false ) {
		/**
		 * SSL verification (`sslverify`) for the JetpackClient remote request
		 * defaults to off, use this filter to force it on.
		 *
		 * Return `true` to ENABLE SSL verification, return `false`
		 * to DISABLE SSL verification.
		 *
		 * @since 3.6.0
		 *
		 * @param bool Whether to force `sslverify` or not.
		 */
		if ( apply_filters( 'jetpack_client_verify_ssl_certs', false ) ) {
			return wp_remote_request( $url, $args );
		}

		$fallback = Jetpack_Options::get_option( 'fallback_no_verify_ssl_certs' );
		if ( false === $fallback ) {
			Jetpack_Options::update_option( 'fallback_no_verify_ssl_certs', 0 );
		}

		if ( (int) $fallback ) {
			// We're flagged to fallback
			$args['sslverify'] = false;
		}

		$response = wp_remote_request( $url, $args );

		if (
			!$set_fallback                                     // We're not allowed to set the flag on this request, so whatever happens happens
		||
			isset( $args['sslverify'] ) && !$args['sslverify'] // No verification - no point in doing it again
		||
			!is_wp_error( $response )                          // Let it ride
		) {
			Jetpack_Client::set_time_diff( $response, $set_fallback );
			return $response;
		}

		// At this point, we're not flagged to fallback and we are allowed to set the flag on this request.

		$message = $response->get_error_message();

		// Is it an SSL Certificate verification error?
		if (
			false === strpos( $message, '14090086' ) // OpenSSL SSL3 certificate error
		&&
			false === strpos( $message, '1407E086' ) // OpenSSL SSL2 certificate error
		&&
			false === strpos( $message, 'error setting certificate verify locations' ) // cURL CA bundle not found
		&&
			false === strpos( $message, 'Peer certificate cannot be authenticated with' ) // cURL CURLE_SSL_CACERT: CA bundle found, but not helpful
			                                                                              // different versions of curl have different error messages
			                                                                              // this string should catch them all
		&&
			false === strpos( $message, 'Problem with the SSL CA cert' ) // cURL CURLE_SSL_CACERT_BADFILE: probably access rights
		) {
			// No, it is not.
			return $response;
		}

		// Redo the request without SSL certificate verification.
		$args['sslverify'] = false;
		$response = wp_remote_request( $url, $args );

		if ( !is_wp_error( $response ) ) {
			// The request went through this time, flag for future fallbacks
			Jetpack_Options::update_option( 'fallback_no_verify_ssl_certs', time() );
			Jetpack_Client::set_time_diff( $response, $set_fallback );
		}

		return $response;
	}

	public static function set_time_diff( &$response, $force_set = false ) {
		$code = wp_remote_retrieve_response_code( $response );

		// Only trust the Date header on some responses
		if ( 200 != $code && 304 != $code && 400 != $code && 401 != $code ) {
			return;
		}

		if ( !$date = wp_remote_retrieve_header( $response, 'date' ) ) {
			return;
		}

		if ( 0 >= $time = (int) strtotime( $date ) ) {
			return;
		}

		$time_diff = $time - time();

		if ( $force_set ) { // during register
			Jetpack_Options::update_option( 'time_diff', $time_diff );
		} else { // otherwise
			$old_diff = Jetpack_Options::get_option( 'time_diff' );
			if ( false === $old_diff || abs( $time_diff - (int) $old_diff ) > 10 ) {
				Jetpack_Options::update_option( 'time_diff', $time_diff );
			}
		}
	}

	/**
	 * Query the WordPress.com REST API using the blog token
	 *
	 * @param string  $path
	 * @param string  $version
	 * @param array   $args
	 * @param string  $body

	 * @return array|WP_Error $response Data.
	 */
	static function wpcom_json_api_request_as_blog( $path, $version = self::WPCOM_JSON_API_VERSION, $args = array(), $body = null ) {
		$filtered_args = array_intersect_key( $args, array(
			'method'      => 'string',
			'timeout'     => 'int',
			'redirection' => 'int',
		) );

		/**
		 * Determines whether Jetpack can send outbound https requests to the WPCOM api.
		 *
		 * @since 3.6.0
		 *
		 * @param bool $proto Defaults to true.
		 */
		$proto = apply_filters( 'jetpack_can_make_outbound_https', true ) ? 'https' : 'http';

		// unprecedingslashit
		$_path = preg_replace( '/^\//', '', $path );

		// Use GET by default whereas `remote_request` uses POST
		if ( isset( $filtered_args['method'] ) && strtoupper( $filtered_args['method'] === 'POST' ) ) {
			$request_method = 'POST';
		} else {
			$request_method = 'GET';
		}

		$validated_args = array_merge( $filtered_args, array(
			'url'     => sprintf( '%s://%s/rest/v%s/%s', $proto, JETPACK__WPCOM_JSON_API_HOST, $version, $_path ),
			'blog_id' => (int) Jetpack_Options::get_option( 'id' ),
			'method'  => $request_method,
		) );

		return Jetpack_Client::remote_request( $validated_args, $body );
	}

}


1		<?php
2
3		class Jetpack_Client {
4		const WPCOM_JSON_API_VERSION = '1.1';
5
6		/**
7		* Makes an authorized remote request using Jetpack_Signature
8		*
9		* @return array\|WP_Error WP HTTP response on success
10		*/
11		public static function remote_request( $args, $body = null ) {
12		$defaults = array(
13		'url' => '',
14		'user_id' => 0,
15		'blog_id' => 0,
16		'auth_location' => JETPACK_CLIENT__AUTH_LOCATION,
17		'method' => 'POST',
18		'timeout' => 10,
19		'redirection' => 0,
20		);
21
22		$args = wp_parse_args( $args, $defaults );
23
24		$args['blog_id'] = (int) $args['blog_id'];
25
26		if ( 'header' != $args['auth_location'] ) {
27		$args['auth_location'] = 'query_string';
28		}
29
30		$token = Jetpack_Data::get_access_token( $args['user_id'] );
		0 ignored issues – show Documentation introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report `$args['user_id']` is of type `integer\|string`, but the function expects a `boolean`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
31		if ( !$token ) {
32		return new Jetpack_Error( 'missing_token' );
33		}
34
35		$method = strtoupper( $args['method'] );
36
37		$timeout = intval( $args['timeout'] );
38
39		$redirection = $args['redirection'];
40
41		$request = compact( 'method', 'body', 'timeout', 'redirection' );
42
43		@list( $token_key, $secret ) = explode( '.', $token->secret );
		0 ignored issues – show Security Best Practice introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
44		if ( empty( $token ) \|\| empty( $secret ) ) {
45		return new Jetpack_Error( 'malformed_token' );
46		}
47
48		$token_key = sprintf( '%s:%d:%d', $token_key, JETPACK__API_VERSION, $token->external_user_id );
49
50		require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php';
51
52		$time_diff = (int) Jetpack_Options::get_option( 'time_diff' );
53		$jetpack_signature = new Jetpack_Signature( $token->secret, $time_diff );
54
55		$timestamp = time() + $time_diff;
56
57		if( function_exists( 'wp_generate_password' ) ) {
58		$nonce = wp_generate_password( 10, false );
59		} else {
60		$nonce = substr( sha1( rand( 0, 1000000 ) ), 0, 10);
61		}
62
63		// Kind of annoying. Maybe refactor Jetpack_Signature to handle body-hashing
64	View Code Duplication	if ( is_null( $body ) ) {
65		$body_hash = '';
66		} else {
67		if ( !is_string( $body ) ) {
68		return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
69		}
70		$body_hash = jetpack_sha1_base64( $body );
71		}
72
73		$auth = array(
74		'token' => $token_key,
75		'timestamp' => $timestamp,
76		'nonce' => $nonce,
77		'body-hash' => $body_hash,
78		);
79
80		if ( false !== strpos( $args['url'], 'xmlrpc.php' ) ) {
81		$url_args = array(
82		'for' => 'jetpack',
83		'wpcom_blog_id' => Jetpack_Options::get_option( 'id' ),
84		);
85		} else {
86		$url_args = array();
87		}
88
89		if ( 'header' != $args['auth_location'] ) {
90		$url_args += $auth;
91		}
92
93		$url = add_query_arg( urlencode_deep( $url_args ), $args['url'] );
94		$url = Jetpack::fix_url_for_bad_hosts( $url );
95
96		$signature = $jetpack_signature->sign_request( $token_key, $timestamp, $nonce, $body_hash, $method, $url, $body, false );
97
98		if ( !$signature \|\| is_wp_error( $signature ) ) {
99		return $signature;
100		}
101
102		// Send an Authorization header so various caches/proxies do the right thing
103		$auth['signature'] = $signature;
104		$auth['version'] = JETPACK__VERSION;
105		$header_pieces = array();
106		foreach ( $auth as $key => $value ) {
107		$header_pieces[] = sprintf( '%s="%s"', $key, $value );
108		}
109		$request['headers'] = array(
110		'Authorization' => "X_JETPACK " . join( ' ', $header_pieces ),
111		);
112
113		// Make sure we keep the host when we do JETPACK__WPCOM_JSON_API_HOST requests.
114		$host = parse_url( $url, PHP_URL_HOST );
115		if ( $host === JETPACK__WPCOM_JSON_API_HOST ) {
116		$request['headers']['Host'] = 'public-api.wordpress.com';
117		}
118
119		if ( 'header' != $args['auth_location'] ) {
120		$url = add_query_arg( 'signature', urlencode( $signature ), $url );
121		}
122
123		return Jetpack_Client::_wp_remote_request( $url, $request );
124		}
125
126		/**
127		* Wrapper for wp_remote_request(). Turns off SSL verification for certain SSL errors.
128		* This is lame, but many, many, many hosts have misconfigured SSL.
129		*
130		* When Jetpack is registered, the jetpack_fallback_no_verify_ssl_certs option is set to the current time if:
131		* 1. a certificate error is found AND
132		* 2. not verifying the certificate works around the problem.
133		*
134		* The option is checked on each request.
135		*
136		* @internal
137		* @see Jetpack::fix_url_for_bad_hosts()
138		*
139		* @return array\|WP_Error WP HTTP response on success
140		*/
141		public static function _wp_remote_request( $url, $args, $set_fallback = false ) {
142		/**
143		* SSL verification (`sslverify`) for the JetpackClient remote request
144		* defaults to off, use this filter to force it on.
145		*
146		* Return `true` to ENABLE SSL verification, return `false`
147		* to DISABLE SSL verification.
148		*
149		* @since 3.6.0
150		*
151		* @param bool Whether to force `sslverify` or not.
152		*/
153		if ( apply_filters( 'jetpack_client_verify_ssl_certs', false ) ) {
154		return wp_remote_request( $url, $args );
155		}
156
157		$fallback = Jetpack_Options::get_option( 'fallback_no_verify_ssl_certs' );
158		if ( false === $fallback ) {
159		Jetpack_Options::update_option( 'fallback_no_verify_ssl_certs', 0 );
160		}
161
162		if ( (int) $fallback ) {
163		// We're flagged to fallback
164		$args['sslverify'] = false;
165		}
166
167		$response = wp_remote_request( $url, $args );
168
169		if (
170		!$set_fallback // We're not allowed to set the flag on this request, so whatever happens happens
171		\|\|
172		isset( $args['sslverify'] ) && !$args['sslverify'] // No verification - no point in doing it again
173		\|\|
174		!is_wp_error( $response ) // Let it ride
175		) {
176		Jetpack_Client::set_time_diff( $response, $set_fallback );
177		return $response;
178		}
179
180		// At this point, we're not flagged to fallback and we are allowed to set the flag on this request.
181
182		$message = $response->get_error_message();
183
184		// Is it an SSL Certificate verification error?
185		if (
186		false === strpos( $message, '14090086' ) // OpenSSL SSL3 certificate error
187		&&
188		false === strpos( $message, '1407E086' ) // OpenSSL SSL2 certificate error
189		&&
190		false === strpos( $message, 'error setting certificate verify locations' ) // cURL CA bundle not found
191		&&
192		false === strpos( $message, 'Peer certificate cannot be authenticated with' ) // cURL CURLE_SSL_CACERT: CA bundle found, but not helpful
193		// different versions of curl have different error messages
194		// this string should catch them all
195		&&
196		false === strpos( $message, 'Problem with the SSL CA cert' ) // cURL CURLE_SSL_CACERT_BADFILE: probably access rights
197		) {
198		// No, it is not.
199		return $response;
200		}
201
202		// Redo the request without SSL certificate verification.
203		$args['sslverify'] = false;
204		$response = wp_remote_request( $url, $args );
205
206		if ( !is_wp_error( $response ) ) {
207		// The request went through this time, flag for future fallbacks
208		Jetpack_Options::update_option( 'fallback_no_verify_ssl_certs', time() );
209		Jetpack_Client::set_time_diff( $response, $set_fallback );
210		}
211
212		return $response;
213		}
214
215		public static function set_time_diff( &$response, $force_set = false ) {
216		$code = wp_remote_retrieve_response_code( $response );
217
218		// Only trust the Date header on some responses
219		if ( 200 != $code && 304 != $code && 400 != $code && 401 != $code ) {
220		return;
221		}
222
223		if ( !$date = wp_remote_retrieve_header( $response, 'date' ) ) {
224		return;
225		}
226
227		if ( 0 >= $time = (int) strtotime( $date ) ) {
228		return;
229		}
230
231		$time_diff = $time - time();
232
233		if ( $force_set ) { // during register
234		Jetpack_Options::update_option( 'time_diff', $time_diff );
235		} else { // otherwise
236		$old_diff = Jetpack_Options::get_option( 'time_diff' );
237		if ( false === $old_diff \|\| abs( $time_diff - (int) $old_diff ) > 10 ) {
238		Jetpack_Options::update_option( 'time_diff', $time_diff );
239		}
240		}
241		}
242
243		/**
244		* Query the WordPress.com REST API using the blog token
245		*
246		* @param string $path
247		* @param string $version
248		* @param array $args
249		* @param string $body
		0 ignored issues – show Documentation introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report Should the type for parameter `$body` not be `string\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
250		* @return array\|WP_Error $response Data.
251		*/
252		static function wpcom_json_api_request_as_blog( $path, $version = self::WPCOM_JSON_API_VERSION, $args = array(), $body = null ) {
253		$filtered_args = array_intersect_key( $args, array(
254		'method' => 'string',
255		'timeout' => 'int',
256		'redirection' => 'int',
257		) );
258
259		/**
260		* Determines whether Jetpack can send outbound https requests to the WPCOM api.
261		*
262		* @since 3.6.0
263		*
264		* @param bool $proto Defaults to true.
265		*/
266		$proto = apply_filters( 'jetpack_can_make_outbound_https', true ) ? 'https' : 'http';
267
268		// unprecedingslashit
269		$_path = preg_replace( '/^\//', '', $path );
270
271		// Use GET by default whereas `remote_request` uses POST
272		if ( isset( $filtered_args['method'] ) && strtoupper( $filtered_args['method'] === 'POST' ) ) {
273		$request_method = 'POST';
274		} else {
275		$request_method = 'GET';
276		}
277
278		$validated_args = array_merge( $filtered_args, array(
279		'url' => sprintf( '%s://%s/rest/v%s/%s', $proto, JETPACK__WPCOM_JSON_API_HOST, $version, $_path ),
280		'blog_id' => (int) Jetpack_Options::get_option( 'id' ),
281		'method' => $request_method,
282		) );
283
284		return Jetpack_Client::remote_request( $validated_args, $body );
285		}
286
287		}
288

Automattic / jetpack

Push — enhance/failed-auth-survey ( 62d2b0 )

Jetpack_Client::_wp_remote_request() C

Complexity

Size

Duplication

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like