Completed
Push — add/jetpack_connection_new_met... ( 4417f6 )
by
unknown
58:25 queued 50:08
created

Manager::refresh_user_token()   A

Complexity

Conditions 1
Paths 1

Size

Total Lines 7

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
cc 1
nc 1
nop 0
dl 0
loc 7
rs 10
c 0
b 0
f 0
1
<?php
2
/**
3
 * The Jetpack Connection manager class file.
4
 *
5
 * @package automattic/jetpack-connection
6
 */
7
8
namespace Automattic\Jetpack\Connection;
9
10
use Automattic\Jetpack\Constants;
11
use Automattic\Jetpack\Heartbeat;
12
use Automattic\Jetpack\Roles;
13
use Automattic\Jetpack\Status;
14
use Automattic\Jetpack\Tracking;
15
use Jetpack_Options;
16
use WP_Error;
17
use WP_User;
18
19
/**
20
 * The Jetpack Connection Manager class that is used as a single gateway between WordPress.com
21
 * and Jetpack.
22
 */
23
class Manager {
24
25
	const SECRETS_MISSING        = 'secrets_missing';
26
	const SECRETS_EXPIRED        = 'secrets_expired';
27
	const SECRETS_OPTION_NAME    = 'jetpack_secrets';
28
	const MAGIC_NORMAL_TOKEN_KEY = ';normal;';
29
30
	/**
31
	 * Constant used to fetch the master user token. Deprecated.
32
	 *
33
	 * @deprecated 9.0.0
34
	 * @see Manager::CONNECTION_OWNER
35
	 * @var boolean
36
	 */
37
	const JETPACK_MASTER_USER = true; //phpcs:ignore Jetpack.Constants.MasterUserConstant.ShouldNotBeUsed
38
39
	/**
40
	 * For internal use only. If you need to get the connection owner, use the provided methods
41
	 * get_connection_owner_id, get_connection_owner and is_connection_owner
42
	 *
43
	 * @todo Add private visibility once PHP 7.1 is the minimum supported verion.
44
	 *
45
	 * @var boolean
46
	 */
47
	const CONNECTION_OWNER = true;
48
49
	/**
50
	 * The procedure that should be run to generate secrets.
51
	 *
52
	 * @var Callable
53
	 */
54
	protected $secret_callable;
55
56
	/**
57
	 * A copy of the raw POST data for signature verification purposes.
58
	 *
59
	 * @var String
60
	 */
61
	protected $raw_post_data;
62
63
	/**
64
	 * Verification data needs to be stored to properly verify everything.
65
	 *
66
	 * @var Object
67
	 */
68
	private $xmlrpc_verification = null;
69
70
	/**
71
	 * Plugin management object.
72
	 *
73
	 * @var Plugin
74
	 */
75
	private $plugin = null;
76
77
	/**
78
	 * Initialize the object.
79
	 * Make sure to call the "Configure" first.
80
	 *
81
	 * @param string $plugin_slug Slug of the plugin using the connection (optional, but encouraged).
0 ignored issues
show
Documentation introduced by
Should the type for parameter $plugin_slug not be string|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
82
	 *
83
	 * @see \Automattic\Jetpack\Config
84
	 */
85
	public function __construct( $plugin_slug = null ) {
86
		if ( $plugin_slug && is_string( $plugin_slug ) ) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $plugin_slug of type string|null is loosely compared to true; this is ambiguous if the string can be empty. You might want to explicitly use !== null instead.

In PHP, under loose comparison (like ==, or !=, or switch conditions), values of different types might be equal.

For string values, the empty string '' is a special case, in particular the following results might be unexpected:

''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
Loading history...
87
			$this->set_plugin_instance( new Plugin( $plugin_slug ) );
88
		}
89
	}
90
91
	/**
92
	 * Initializes required listeners. This is done separately from the constructors
93
	 * because some objects sometimes need to instantiate separate objects of this class.
94
	 *
95
	 * @todo Implement a proper nonce verification.
96
	 */
97
	public static function configure() {
98
		$manager = new self();
99
100
		add_filter(
101
			'jetpack_constant_default_value',
102
			__NAMESPACE__ . '\Utils::jetpack_api_constant_filter',
103
			10,
104
			2
105
		);
106
107
		$manager->setup_xmlrpc_handlers(
108
			$_GET, // phpcs:ignore WordPress.Security.NonceVerification.Recommended
109
			$manager->is_active(),
110
			$manager->verify_xml_rpc_signature()
0 ignored issues
show
Bug introduced by
It seems like $manager->verify_xml_rpc_signature() targeting Automattic\Jetpack\Conne...ify_xml_rpc_signature() can also be of type array; however, Automattic\Jetpack\Conne...setup_xmlrpc_handlers() does only seem to accept boolean, maybe add an additional type check?

This check looks at variables that are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
111
		);
112
113
		$manager->error_handler = Error_Handler::get_instance();
0 ignored issues
show
Bug introduced by
The property error_handler does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
114
115
		if ( $manager->is_active() ) {
116
			add_filter( 'xmlrpc_methods', array( $manager, 'public_xmlrpc_methods' ) );
117
		}
118
119
		add_action( 'rest_api_init', array( $manager, 'initialize_rest_api_registration_connector' ) );
120
121
		add_action( 'jetpack_clean_nonces', array( $manager, 'clean_nonces' ) );
122
		if ( ! wp_next_scheduled( 'jetpack_clean_nonces' ) ) {
123
			wp_schedule_event( time(), 'hourly', 'jetpack_clean_nonces' );
124
		}
125
126
		add_action( 'plugins_loaded', __NAMESPACE__ . '\Plugin_Storage::configure', 100 );
127
128
		add_filter( 'map_meta_cap', array( $manager, 'jetpack_connection_custom_caps' ), 1, 4 );
129
130
		Heartbeat::init();
131
		add_filter( 'jetpack_heartbeat_stats_array', array( $manager, 'add_stats_to_heartbeat' ) );
132
133
	}
134
135
	/**
136
	 * Sets up the XMLRPC request handlers.
137
	 *
138
	 * @param array                  $request_params incoming request parameters.
139
	 * @param Boolean                $is_active whether the connection is currently active.
140
	 * @param Boolean                $is_signed whether the signature check has been successful.
141
	 * @param \Jetpack_XMLRPC_Server $xmlrpc_server (optional) an instance of the server to use instead of instantiating a new one.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $xmlrpc_server not be null|\Jetpack_XMLRPC_Server?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
142
	 */
143
	public function setup_xmlrpc_handlers(
144
		$request_params,
145
		$is_active,
146
		$is_signed,
147
		\Jetpack_XMLRPC_Server $xmlrpc_server = null
148
	) {
149
		add_filter( 'xmlrpc_blog_options', array( $this, 'xmlrpc_options' ), 1000, 2 );
150
151
		if (
152
			! isset( $request_params['for'] )
153
			|| 'jetpack' !== $request_params['for']
154
		) {
155
			return false;
156
		}
157
158
		// Alternate XML-RPC, via ?for=jetpack&jetpack=comms.
159
		if (
160
			isset( $request_params['jetpack'] )
161
			&& 'comms' === $request_params['jetpack']
162
		) {
163
			if ( ! Constants::is_defined( 'XMLRPC_REQUEST' ) ) {
164
				// Use the real constant here for WordPress' sake.
165
				define( 'XMLRPC_REQUEST', true );
166
			}
167
168
			add_action( 'template_redirect', array( $this, 'alternate_xmlrpc' ) );
169
170
			add_filter( 'xmlrpc_methods', array( $this, 'remove_non_jetpack_xmlrpc_methods' ), 1000 );
171
		}
172
173
		if ( ! Constants::get_constant( 'XMLRPC_REQUEST' ) ) {
174
			return false;
175
		}
176
		// Display errors can cause the XML to be not well formed.
177
		@ini_set( 'display_errors', false ); // phpcs:ignore
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended.

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
178
179
		if ( $xmlrpc_server ) {
180
			$this->xmlrpc_server = $xmlrpc_server;
0 ignored issues
show
Bug introduced by
The property xmlrpc_server does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
181
		} else {
182
			$this->xmlrpc_server = new \Jetpack_XMLRPC_Server();
183
		}
184
185
		$this->require_jetpack_authentication();
186
187
		if ( $is_active ) {
188
			// Hack to preserve $HTTP_RAW_POST_DATA.
189
			add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
190
191
			if ( $is_signed ) {
192
				// The actual API methods.
193
				add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'xmlrpc_methods' ) );
194
			} else {
195
				// The jetpack.authorize method should be available for unauthenticated users on a site with an
196
				// active Jetpack connection, so that additional users can link their account.
197
				add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'authorize_xmlrpc_methods' ) );
198
			}
199
		} else {
200
			// The bootstrap API methods.
201
			add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'bootstrap_xmlrpc_methods' ) );
202
203
			if ( $is_signed ) {
204
				// The jetpack Provision method is available for blog-token-signed requests.
205
				add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'provision_xmlrpc_methods' ) );
206
			} else {
207
				new XMLRPC_Connector( $this );
208
			}
209
		}
210
211
		// Now that no one can authenticate, and we're whitelisting all XML-RPC methods, force enable_xmlrpc on.
212
		add_filter( 'pre_option_enable_xmlrpc', '__return_true' );
213
		return true;
214
	}
215
216
	/**
217
	 * Initializes the REST API connector on the init hook.
218
	 */
219
	public function initialize_rest_api_registration_connector() {
220
		new REST_Connector( $this );
221
	}
222
223
	/**
224
	 * Since a lot of hosts use a hammer approach to "protecting" WordPress sites,
225
	 * and just blanket block all requests to /xmlrpc.php, or apply other overly-sensitive
226
	 * security/firewall policies, we provide our own alternate XML RPC API endpoint
227
	 * which is accessible via a different URI. Most of the below is copied directly
228
	 * from /xmlrpc.php so that we're replicating it as closely as possible.
229
	 *
230
	 * @todo Tighten $wp_xmlrpc_server_class a bit to make sure it doesn't do bad things.
231
	 */
232
	public function alternate_xmlrpc() {
233
		// Some browser-embedded clients send cookies. We don't want them.
234
		$_COOKIE = array();
235
236
		include_once ABSPATH . 'wp-admin/includes/admin.php';
237
		include_once ABSPATH . WPINC . '/class-IXR.php';
238
		include_once ABSPATH . WPINC . '/class-wp-xmlrpc-server.php';
239
240
		/**
241
		 * Filters the class used for handling XML-RPC requests.
242
		 *
243
		 * @since 3.1.0
244
		 *
245
		 * @param string $class The name of the XML-RPC server class.
246
		 */
247
		$wp_xmlrpc_server_class = apply_filters( 'wp_xmlrpc_server_class', 'wp_xmlrpc_server' );
248
		$wp_xmlrpc_server       = new $wp_xmlrpc_server_class();
249
250
		// Fire off the request.
251
		nocache_headers();
252
		$wp_xmlrpc_server->serve_request();
253
254
		exit;
255
	}
256
257
	/**
258
	 * Removes all XML-RPC methods that are not `jetpack.*`.
259
	 * Only used in our alternate XML-RPC endpoint, where we want to
260
	 * ensure that Core and other plugins' methods are not exposed.
261
	 *
262
	 * @param array $methods a list of registered WordPress XMLRPC methods.
263
	 * @return array filtered $methods
264
	 */
265
	public function remove_non_jetpack_xmlrpc_methods( $methods ) {
266
		$jetpack_methods = array();
267
268
		foreach ( $methods as $method => $callback ) {
269
			if ( 0 === strpos( $method, 'jetpack.' ) ) {
270
				$jetpack_methods[ $method ] = $callback;
271
			}
272
		}
273
274
		return $jetpack_methods;
275
	}
276
277
	/**
278
	 * Removes all other authentication methods not to allow other
279
	 * methods to validate unauthenticated requests.
280
	 */
281
	public function require_jetpack_authentication() {
282
		// Don't let anyone authenticate.
283
		$_COOKIE = array();
284
		remove_all_filters( 'authenticate' );
285
		remove_all_actions( 'wp_login_failed' );
286
287
		if ( $this->is_active() ) {
288
			// Allow Jetpack authentication.
289
			add_filter( 'authenticate', array( $this, 'authenticate_jetpack' ), 10, 3 );
290
		}
291
	}
292
293
	/**
294
	 * Authenticates XML-RPC and other requests from the Jetpack Server
295
	 *
296
	 * @param WP_User|Mixed $user user object if authenticated.
297
	 * @param String        $username username.
298
	 * @param String        $password password string.
299
	 * @return WP_User|Mixed authenticated user or error.
300
	 */
301
	public function authenticate_jetpack( $user, $username, $password ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
302
		if ( is_a( $user, '\\WP_User' ) ) {
303
			return $user;
304
		}
305
306
		$token_details = $this->verify_xml_rpc_signature();
307
308
		if ( ! $token_details ) {
309
			return $user;
310
		}
311
312
		if ( 'user' !== $token_details['type'] ) {
313
			return $user;
314
		}
315
316
		if ( ! $token_details['user_id'] ) {
317
			return $user;
318
		}
319
320
		nocache_headers();
321
322
		return new \WP_User( $token_details['user_id'] );
323
	}
324
325
	/**
326
	 * Verifies the signature of the current request.
327
	 *
328
	 * @return false|array
329
	 */
330
	public function verify_xml_rpc_signature() {
331
		if ( is_null( $this->xmlrpc_verification ) ) {
332
			$this->xmlrpc_verification = $this->internal_verify_xml_rpc_signature();
333
334
			if ( is_wp_error( $this->xmlrpc_verification ) ) {
335
				/**
336
				 * Action for logging XMLRPC signature verification errors. This data is sensitive.
337
				 *
338
				 * @since 7.5.0
339
				 *
340
				 * @param WP_Error $signature_verification_error The verification error
341
				 */
342
				do_action( 'jetpack_verify_signature_error', $this->xmlrpc_verification );
343
344
				Error_Handler::get_instance()->report_error( $this->xmlrpc_verification );
345
346
			}
347
		}
348
349
		return is_wp_error( $this->xmlrpc_verification ) ? false : $this->xmlrpc_verification;
350
	}
351
352
	/**
353
	 * Verifies the signature of the current request.
354
	 *
355
	 * This function has side effects and should not be used. Instead,
356
	 * use the memoized version `->verify_xml_rpc_signature()`.
357
	 *
358
	 * @internal
359
	 * @todo Refactor to use proper nonce verification.
360
	 */
361
	private function internal_verify_xml_rpc_signature() {
362
		// phpcs:disable WordPress.Security.NonceVerification.Recommended
363
		// It's not for us.
364
		if ( ! isset( $_GET['token'] ) || empty( $_GET['signature'] ) ) {
365
			return false;
366
		}
367
368
		$signature_details = array(
369
			'token'     => isset( $_GET['token'] ) ? wp_unslash( $_GET['token'] ) : '',
370
			'timestamp' => isset( $_GET['timestamp'] ) ? wp_unslash( $_GET['timestamp'] ) : '',
371
			'nonce'     => isset( $_GET['nonce'] ) ? wp_unslash( $_GET['nonce'] ) : '',
372
			'body_hash' => isset( $_GET['body-hash'] ) ? wp_unslash( $_GET['body-hash'] ) : '',
373
			'method'    => wp_unslash( $_SERVER['REQUEST_METHOD'] ),
374
			'url'       => wp_unslash( $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ), // Temp - will get real signature URL later.
375
			'signature' => isset( $_GET['signature'] ) ? wp_unslash( $_GET['signature'] ) : '',
376
		);
377
378
		// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
379
		@list( $token_key, $version, $user_id ) = explode( ':', wp_unslash( $_GET['token'] ) );
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended.

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
380
		// phpcs:enable WordPress.Security.NonceVerification.Recommended
381
382
		$jetpack_api_version = Constants::get_constant( 'JETPACK__API_VERSION' );
383
384
		if (
385
			empty( $token_key )
386
		||
387
			empty( $version ) || (string) $jetpack_api_version !== $version ) {
388
			return new \WP_Error( 'malformed_token', 'Malformed token in request', compact( 'signature_details' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'malformed_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
389
		}
390
391
		if ( '0' === $user_id ) {
392
			$token_type = 'blog';
393
			$user_id    = 0;
394
		} else {
395
			$token_type = 'user';
396
			if ( empty( $user_id ) || ! ctype_digit( $user_id ) ) {
397
				return new \WP_Error(
398
					'malformed_user_id',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'malformed_user_id'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
399
					'Malformed user_id in request',
400
					compact( 'signature_details' )
401
				);
402
			}
403
			$user_id = (int) $user_id;
404
405
			$user = new \WP_User( $user_id );
406
			if ( ! $user || ! $user->exists() ) {
407
				return new \WP_Error(
408
					'unknown_user',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'unknown_user'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
409
					sprintf( 'User %d does not exist', $user_id ),
410
					compact( 'signature_details' )
411
				);
412
			}
413
		}
414
415
		$token = $this->get_access_token( $user_id, $token_key, false );
416
		if ( is_wp_error( $token ) ) {
417
			$token->add_data( compact( 'signature_details' ) );
418
			return $token;
419
		} elseif ( ! $token ) {
420
			return new \WP_Error(
421
				'unknown_token',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'unknown_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
422
				sprintf( 'Token %s:%s:%d does not exist', $token_key, $version, $user_id ),
423
				compact( 'signature_details' )
424
			);
425
		}
426
427
		$jetpack_signature = new \Jetpack_Signature( $token->secret, (int) \Jetpack_Options::get_option( 'time_diff' ) );
428
		// phpcs:disable WordPress.Security.NonceVerification.Missing
429
		if ( isset( $_POST['_jetpack_is_multipart'] ) ) {
430
			$post_data   = $_POST;
431
			$file_hashes = array();
432
			foreach ( $post_data as $post_data_key => $post_data_value ) {
433
				if ( 0 !== strpos( $post_data_key, '_jetpack_file_hmac_' ) ) {
434
					continue;
435
				}
436
				$post_data_key                 = substr( $post_data_key, strlen( '_jetpack_file_hmac_' ) );
437
				$file_hashes[ $post_data_key ] = $post_data_value;
438
			}
439
440
			foreach ( $file_hashes as $post_data_key => $post_data_value ) {
441
				unset( $post_data[ "_jetpack_file_hmac_{$post_data_key}" ] );
442
				$post_data[ $post_data_key ] = $post_data_value;
443
			}
444
445
			ksort( $post_data );
446
447
			$body = http_build_query( stripslashes_deep( $post_data ) );
448
		} elseif ( is_null( $this->raw_post_data ) ) {
449
			$body = file_get_contents( 'php://input' );
450
		} else {
451
			$body = null;
452
		}
453
		// phpcs:enable
454
455
		$signature = $jetpack_signature->sign_current_request(
456
			array( 'body' => is_null( $body ) ? $this->raw_post_data : $body )
457
		);
458
459
		$signature_details['url'] = $jetpack_signature->current_request_url;
460
461
		if ( ! $signature ) {
462
			return new \WP_Error(
463
				'could_not_sign',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'could_not_sign'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
464
				'Unknown signature error',
465
				compact( 'signature_details' )
466
			);
467
		} elseif ( is_wp_error( $signature ) ) {
468
			return $signature;
469
		}
470
471
		// phpcs:disable WordPress.Security.NonceVerification.Recommended
472
		$timestamp = (int) $_GET['timestamp'];
473
		$nonce     = stripslashes( (string) $_GET['nonce'] );
474
		// phpcs:enable WordPress.Security.NonceVerification.Recommended
475
476
		// Use up the nonce regardless of whether the signature matches.
477
		if ( ! $this->add_nonce( $timestamp, $nonce ) ) {
478
			return new \WP_Error(
479
				'invalid_nonce',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'invalid_nonce'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
480
				'Could not add nonce',
481
				compact( 'signature_details' )
482
			);
483
		}
484
485
		// Be careful about what you do with this debugging data.
486
		// If a malicious requester has access to the expected signature,
487
		// bad things might be possible.
488
		$signature_details['expected'] = $signature;
489
490
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
491
		if ( ! hash_equals( $signature, $_GET['signature'] ) ) {
492
			return new \WP_Error(
493
				'signature_mismatch',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'signature_mismatch'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
494
				'Signature mismatch',
495
				compact( 'signature_details' )
496
			);
497
		}
498
499
		/**
500
		 * Action for additional token checking.
501
		 *
502
		 * @since 7.7.0
503
		 *
504
		 * @param array $post_data request data.
505
		 * @param array $token_data token data.
506
		 */
507
		return apply_filters(
508
			'jetpack_signature_check_token',
509
			array(
510
				'type'      => $token_type,
511
				'token_key' => $token_key,
512
				'user_id'   => $token->external_user_id,
513
			),
514
			$token,
0 ignored issues
show
Unused Code introduced by
The call to apply_filters() has too many arguments starting with $token.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
515
			$this->raw_post_data
516
		);
517
	}
518
519
	/**
520
	 * Returns true if the current site is connected to WordPress.com and has the minimum requirements to enable Jetpack UI.
521
	 *
522
	 * @return Boolean is the site connected?
523
	 */
524
	public function is_active() {
525
		if ( ( new Status() )->is_no_user_testing_mode() ) {
526
			return $this->is_connected();
527
		}
528
		return $this->is_owned();
529
	}
530
531
	/**
532
	 * Returns true if the site has both a token and a blog id, which indicates a site has been registered.
533
	 *
534
	 * @access public
535
	 * @deprecated 9.2.0 Use is_connected instead
536
	 * @see Manager::is_connected
537
	 *
538
	 * @return bool
539
	 */
540
	public function is_registered() {
541
		_deprecated_function( __METHOD__, 'jetpack-9.2' );
542
		return $this->is_connected();
543
	}
544
545
	/**
546
	 * Returns true if the site has both a token and a blog id, which indicates a site has been connected.
547
	 *
548
	 * @access public
549
	 * @since 9.2.0
550
	 *
551
	 * @return bool
552
	 */
553
	public function is_connected() {
554
		$has_blog_id    = (bool) \Jetpack_Options::get_option( 'id' );
555
		$has_blog_token = (bool) $this->get_access_token( false );
556
		return $has_blog_id && $has_blog_token;
557
	}
558
559
	/**
560
	 * Returns true if the site has at least one connected administrator.
561
	 *
562
	 * @access public
563
	 * @since 9.2.0
564
	 *
565
	 * @return bool
566
	 */
567
	public function has_connected_admin() {
568
		return (bool) count( $this->get_connected_users( 'manage_options' ) );
569
	}
570
571
	/**
572
	 * Returns true if the site has any connected user.
573
	 *
574
	 * @access public
575
	 * @since 9.2.0
576
	 *
577
	 * @return bool
578
	 */
579
	public function has_connected_user() {
580
		return (bool) count( $this->get_connected_users() );
581
	}
582
583
	/**
584
	 * Returns true if the site has a connected Blog owner (master_user).
585
	 *
586
	 * @access public
587
	 * @since 9.2.0
588
	 *
589
	 * @return bool
590
	 */
591
	public function is_owned() {
592
		return (bool) $this->get_connection_owner_id();
593
	}
594
595
	/**
596
	 * Checks to see if the connection owner of the site is missing.
597
	 *
598
	 * @return bool
599
	 */
600
	public function is_missing_connection_owner() {
601
		$connection_owner = $this->get_connection_owner_id();
602
		if ( ! get_user_by( 'id', $connection_owner ) ) {
603
			return true;
604
		}
605
606
		return false;
607
	}
608
609
	/**
610
	 * Returns true if the user with the specified identifier is connected to
611
	 * WordPress.com.
612
	 *
613
	 * @param Integer|Boolean $user_id the user identifier. Default is the current user.
614
	 * @return Boolean is the user connected?
615
	 */
616
	public function is_user_connected( $user_id = false ) {
617
		$user_id = false === $user_id ? get_current_user_id() : absint( $user_id );
618
		if ( ! $user_id ) {
619
			return false;
620
		}
621
622
		return (bool) $this->get_access_token( $user_id );
623
	}
624
625
	/**
626
	 * Returns the local user ID of the connection owner.
627
	 *
628
	 * @return string|int Returns the ID of the connection owner or False if no connection owner found.
629
	 */
630 View Code Duplication
	public function get_connection_owner_id() {
631
		$user_token       = $this->get_access_token( self::CONNECTION_OWNER );
0 ignored issues
show
Documentation introduced by
self::CONNECTION_OWNER is of type boolean, but the function expects a false|integer.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
632
		$connection_owner = false;
633
		if ( $user_token && is_object( $user_token ) && isset( $user_token->external_user_id ) ) {
634
			$connection_owner = $user_token->external_user_id;
635
		}
636
637
		return $connection_owner;
638
	}
639
640
	/**
641
	 * Returns an array of user_id's that have user tokens for communicating with wpcom.
642
	 * Able to select by specific capability.
643
	 *
644
	 * @param string $capability The capability of the user.
645
	 * @return array Array of WP_User objects if found.
646
	 */
647
	public function get_connected_users( $capability = 'any' ) {
648
		$connected_users    = array();
649
		$connected_user_ids = array_keys( \Jetpack_Options::get_option( 'user_tokens' ) );
650
651
		if ( ! empty( $connected_user_ids ) ) {
652
			foreach ( $connected_user_ids as $id ) {
653
				// Check for capability.
654
				if ( 'any' !== $capability && ! user_can( $id, $capability ) ) {
655
					continue;
656
				}
657
658
				$user_data = get_userdata( $id );
659
				if ( $user_data instanceof \WP_User ) {
0 ignored issues
show
Bug introduced by
The class WP_User does not exist. Is this class maybe located in a folder that is not analyzed, or in a newer version of your dependencies than listed in your composer.lock/composer.json?
Loading history...
660
					$connected_users[] = $user_data;
661
				}
662
			}
663
		}
664
665
		return $connected_users;
666
	}
667
668
	/**
669
	 * Get the wpcom user data of the current|specified connected user.
670
	 *
671
	 * @todo Refactor to properly load the XMLRPC client independently.
672
	 *
673
	 * @param Integer $user_id the user identifier.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $user_id not be integer|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
674
	 * @return Object the user object.
675
	 */
676 View Code Duplication
	public function get_connected_user_data( $user_id = null ) {
677
		if ( ! $user_id ) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $user_id of type integer|null is loosely compared to false; this is ambiguous if the integer can be zero. You might want to explicitly use === null instead.

In PHP, under loose comparison (like ==, or !=, or switch conditions), values of different types might be equal.

For integer values, zero is a special case, in particular the following results might be unexpected:

0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
Loading history...
678
			$user_id = get_current_user_id();
679
		}
680
681
		$transient_key    = "jetpack_connected_user_data_$user_id";
682
		$cached_user_data = get_transient( $transient_key );
683
684
		if ( $cached_user_data ) {
685
			return $cached_user_data;
686
		}
687
688
		$xml = new \Jetpack_IXR_Client(
689
			array(
690
				'user_id' => $user_id,
691
			)
692
		);
693
		$xml->query( 'wpcom.getUser' );
694
		if ( ! $xml->isError() ) {
695
			$user_data = $xml->getResponse();
696
			set_transient( $transient_key, $xml->getResponse(), DAY_IN_SECONDS );
697
			return $user_data;
698
		}
699
700
		return false;
701
	}
702
703
	/**
704
	 * Returns a user object of the connection owner.
705
	 *
706
	 * @return object|false False if no connection owner found.
707
	 */
708 View Code Duplication
	public function get_connection_owner() {
709
		$user_token = $this->get_access_token( self::CONNECTION_OWNER );
0 ignored issues
show
Documentation introduced by
self::CONNECTION_OWNER is of type boolean, but the function expects a false|integer.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
710
711
		$connection_owner = false;
712
		if ( $user_token && is_object( $user_token ) && isset( $user_token->external_user_id ) ) {
713
			$connection_owner = get_userdata( $user_token->external_user_id );
714
		}
715
716
		return $connection_owner;
717
	}
718
719
	/**
720
	 * Returns true if the provided user is the Jetpack connection owner.
721
	 * If user ID is not specified, the current user will be used.
722
	 *
723
	 * @param Integer|Boolean $user_id the user identifier. False for current user.
724
	 * @return Boolean True the user the connection owner, false otherwise.
725
	 */
726 View Code Duplication
	public function is_connection_owner( $user_id = false ) {
727
		if ( ! $user_id ) {
728
			$user_id = get_current_user_id();
729
		}
730
731
		$user_token = $this->get_access_token( self::CONNECTION_OWNER );
0 ignored issues
show
Documentation introduced by
self::CONNECTION_OWNER is of type boolean, but the function expects a false|integer.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
732
733
		return $user_token && is_object( $user_token ) && isset( $user_token->external_user_id ) && $user_id === $user_token->external_user_id;
734
	}
735
736
	/**
737
	 * Connects the user with a specified ID to a WordPress.com user using the
738
	 * remote login flow.
739
	 *
740
	 * @access public
741
	 *
742
	 * @param Integer $user_id (optional) the user identifier, defaults to current user.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $user_id not be integer|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
743
	 * @param String  $redirect_url the URL to redirect the user to for processing, defaults to
0 ignored issues
show
Documentation introduced by
Should the type for parameter $redirect_url not be string|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
744
	 *                              admin_url().
745
	 * @return WP_Error only in case of a failed user lookup.
746
	 */
747
	public function connect_user( $user_id = null, $redirect_url = null ) {
748
		$user = null;
0 ignored issues
show
Unused Code introduced by
$user is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
749
		if ( null === $user_id ) {
750
			$user = wp_get_current_user();
751
		} else {
752
			$user = get_user_by( 'ID', $user_id );
753
		}
754
755
		if ( empty( $user ) ) {
756
			return new \WP_Error( 'user_not_found', 'Attempting to connect a non-existent user.' );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'user_not_found'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
757
		}
758
759
		if ( null === $redirect_url ) {
760
			$redirect_url = admin_url();
0 ignored issues
show
Unused Code introduced by
$redirect_url is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
761
		}
762
763
		// Using wp_redirect intentionally because we're redirecting outside.
764
		wp_redirect( $this->get_authorization_url( $user ) ); // phpcs:ignore WordPress.Security.SafeRedirect
765
		exit();
766
	}
767
768
	/**
769
	 * Unlinks the current user from the linked WordPress.com user.
770
	 *
771
	 * @access public
772
	 * @static
773
	 *
774
	 * @todo Refactor to properly load the XMLRPC client independently.
775
	 *
776
	 * @param Integer $user_id the user identifier.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $user_id not be integer|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
777
	 * @param bool    $can_overwrite_primary_user Allow for the primary user to be disconnected.
778
	 * @return Boolean Whether the disconnection of the user was successful.
779
	 */
780
	public static function disconnect_user( $user_id = null, $can_overwrite_primary_user = false ) {
781
		$tokens = Jetpack_Options::get_option( 'user_tokens' );
782
		if ( ! $tokens ) {
783
			return false;
784
		}
785
786
		$user_id = empty( $user_id ) ? get_current_user_id() : (int) $user_id;
787
788
		if ( Jetpack_Options::get_option( 'master_user' ) === $user_id && ! $can_overwrite_primary_user ) {
789
			return false;
790
		}
791
792
		if ( ! isset( $tokens[ $user_id ] ) ) {
793
			return false;
794
		}
795
796
		$xml = new \Jetpack_IXR_Client( compact( 'user_id' ) );
797
		$xml->query( 'jetpack.unlink_user', $user_id );
798
799
		unset( $tokens[ $user_id ] );
800
801
		Jetpack_Options::update_option( 'user_tokens', $tokens );
802
803
		// Delete cached connected user data.
804
		$transient_key = "jetpack_connected_user_data_$user_id";
805
		delete_transient( $transient_key );
806
807
		/**
808
		 * Fires after the current user has been unlinked from WordPress.com.
809
		 *
810
		 * @since 4.1.0
811
		 *
812
		 * @param int $user_id The current user's ID.
813
		 */
814
		do_action( 'jetpack_unlinked_user', $user_id );
815
816
		return true;
817
	}
818
819
	/**
820
	 * Returns the requested Jetpack API URL.
821
	 *
822
	 * @param String $relative_url the relative API path.
823
	 * @return String API URL.
824
	 */
825
	public function api_url( $relative_url ) {
826
		$api_base    = Constants::get_constant( 'JETPACK__API_BASE' );
827
		$api_version = '/' . Constants::get_constant( 'JETPACK__API_VERSION' ) . '/';
828
829
		/**
830
		 * Filters whether the connection manager should use the iframe authorization
831
		 * flow instead of the regular redirect-based flow.
832
		 *
833
		 * @since 8.3.0
834
		 *
835
		 * @param Boolean $is_iframe_flow_used should the iframe flow be used, defaults to false.
836
		 */
837
		$iframe_flow = apply_filters( 'jetpack_use_iframe_authorization_flow', false );
838
839
		// Do not modify anything that is not related to authorize requests.
840
		if ( 'authorize' === $relative_url && $iframe_flow ) {
841
			$relative_url = 'authorize_iframe';
842
		}
843
844
		/**
845
		 * Filters the API URL that Jetpack uses for server communication.
846
		 *
847
		 * @since 8.0.0
848
		 *
849
		 * @param String $url the generated URL.
850
		 * @param String $relative_url the relative URL that was passed as an argument.
851
		 * @param String $api_base the API base string that is being used.
852
		 * @param String $api_version the API version string that is being used.
853
		 */
854
		return apply_filters(
855
			'jetpack_api_url',
856
			rtrim( $api_base . $relative_url, '/\\' ) . $api_version,
857
			$relative_url,
0 ignored issues
show
Unused Code introduced by
The call to apply_filters() has too many arguments starting with $relative_url.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
858
			$api_base,
859
			$api_version
860
		);
861
	}
862
863
	/**
864
	 * Returns the Jetpack XMLRPC WordPress.com API endpoint URL.
865
	 *
866
	 * @return String XMLRPC API URL.
867
	 */
868
	public function xmlrpc_api_url() {
869
		$base = preg_replace(
870
			'#(https?://[^?/]+)(/?.*)?$#',
871
			'\\1',
872
			Constants::get_constant( 'JETPACK__API_BASE' )
873
		);
874
		return untrailingslashit( $base ) . '/xmlrpc.php';
875
	}
876
877
	/**
878
	 * Attempts Jetpack registration which sets up the site for connection. Should
879
	 * remain public because the call to action comes from the current site, not from
880
	 * WordPress.com.
881
	 *
882
	 * @param String $api_endpoint (optional) an API endpoint to use, defaults to 'register'.
883
	 * @return true|WP_Error The error object.
884
	 */
885
	public function register( $api_endpoint = 'register' ) {
886
		add_action( 'pre_update_jetpack_option_register', array( '\\Jetpack_Options', 'delete_option' ) );
887
		$secrets = $this->generate_secrets( 'register', get_current_user_id(), 600 );
888
889
		if ( false === $secrets ) {
890
			return new WP_Error( 'cannot_save_secrets', __( 'Jetpack experienced an issue trying to save options (cannot_save_secrets). We suggest that you contact your hosting provider, and ask them for help checking that the options table is writable on your site.', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'cannot_save_secrets'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
891
		}
892
893
		if (
894
			empty( $secrets['secret_1'] ) ||
895
			empty( $secrets['secret_2'] ) ||
896
			empty( $secrets['exp'] )
897
		) {
898
			return new \WP_Error( 'missing_secrets' );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'missing_secrets'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
899
		}
900
901
		// Better to try (and fail) to set a higher timeout than this system
902
		// supports than to have register fail for more users than it should.
903
		$timeout = $this->set_min_time_limit( 60 ) / 2;
904
905
		$gmt_offset = get_option( 'gmt_offset' );
906
		if ( ! $gmt_offset ) {
907
			$gmt_offset = 0;
908
		}
909
910
		$stats_options = get_option( 'stats_options' );
911
		$stats_id      = isset( $stats_options['blog_id'] )
912
			? $stats_options['blog_id']
913
			: null;
914
915
		/**
916
		 * Filters the request body for additional property addition.
917
		 *
918
		 * @since 7.7.0
919
		 *
920
		 * @param array $post_data request data.
921
		 * @param Array $token_data token data.
922
		 */
923
		$body = apply_filters(
924
			'jetpack_register_request_body',
925
			array(
926
				'siteurl'            => site_url(),
927
				'home'               => home_url(),
928
				'gmt_offset'         => $gmt_offset,
929
				'timezone_string'    => (string) get_option( 'timezone_string' ),
930
				'site_name'          => (string) get_option( 'blogname' ),
931
				'secret_1'           => $secrets['secret_1'],
932
				'secret_2'           => $secrets['secret_2'],
933
				'site_lang'          => get_locale(),
934
				'timeout'            => $timeout,
935
				'stats_id'           => $stats_id,
936
				'state'              => get_current_user_id(),
937
				'site_created'       => $this->get_assumed_site_creation_date(),
938
				'jetpack_version'    => Constants::get_constant( 'JETPACK__VERSION' ),
939
				'ABSPATH'            => Constants::get_constant( 'ABSPATH' ),
940
				'current_user_email' => wp_get_current_user()->user_email,
941
				'connect_plugin'     => $this->get_plugin() ? $this->get_plugin()->get_slug() : null,
942
			)
943
		);
944
945
		$args = array(
946
			'method'  => 'POST',
947
			'body'    => $body,
948
			'headers' => array(
949
				'Accept' => 'application/json',
950
			),
951
			'timeout' => $timeout,
952
		);
953
954
		$args['body'] = $this->apply_activation_source_to_args( $args['body'] );
955
956
		// TODO: fix URLs for bad hosts.
957
		$response = Client::_wp_remote_request(
958
			$this->api_url( $api_endpoint ),
959
			$args,
960
			true
961
		);
962
963
		// Make sure the response is valid and does not contain any Jetpack errors.
964
		$registration_details = $this->validate_remote_register_response( $response );
965
966
		if ( is_wp_error( $registration_details ) ) {
967
			return $registration_details;
968
		} elseif ( ! $registration_details ) {
969
			return new \WP_Error(
970
				'unknown_error',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'unknown_error'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
971
				'Unknown error registering your Jetpack site.',
972
				wp_remote_retrieve_response_code( $response )
973
			);
974
		}
975
976
		if ( empty( $registration_details->jetpack_secret ) || ! is_string( $registration_details->jetpack_secret ) ) {
977
			return new \WP_Error(
978
				'jetpack_secret',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'jetpack_secret'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
979
				'Unable to validate registration of your Jetpack site.',
980
				wp_remote_retrieve_response_code( $response )
981
			);
982
		}
983
984
		if ( isset( $registration_details->jetpack_public ) ) {
985
			$jetpack_public = (int) $registration_details->jetpack_public;
986
		} else {
987
			$jetpack_public = false;
988
		}
989
990
		\Jetpack_Options::update_options(
991
			array(
992
				'id'         => (int) $registration_details->jetpack_id,
993
				'blog_token' => (string) $registration_details->jetpack_secret,
994
				'public'     => $jetpack_public,
995
			)
996
		);
997
998
		/**
999
		 * Fires when a site is registered on WordPress.com.
1000
		 *
1001
		 * @since 3.7.0
1002
		 *
1003
		 * @param int $json->jetpack_id Jetpack Blog ID.
1004
		 * @param string $json->jetpack_secret Jetpack Blog Token.
1005
		 * @param int|bool $jetpack_public Is the site public.
1006
		 */
1007
		do_action(
1008
			'jetpack_site_registered',
1009
			$registration_details->jetpack_id,
1010
			$registration_details->jetpack_secret,
1011
			$jetpack_public
1012
		);
1013
1014
		if ( isset( $registration_details->token ) ) {
1015
			/**
1016
			 * Fires when a user token is sent along with the registration data.
1017
			 *
1018
			 * @since 7.6.0
1019
			 *
1020
			 * @param object $token the administrator token for the newly registered site.
1021
			 */
1022
			do_action( 'jetpack_site_registered_user_token', $registration_details->token );
1023
		}
1024
1025
		return true;
1026
	}
1027
1028
	/**
1029
	 * Takes the response from the Jetpack register new site endpoint and
1030
	 * verifies it worked properly.
1031
	 *
1032
	 * @since 2.6
1033
	 *
1034
	 * @param Mixed $response the response object, or the error object.
1035
	 * @return string|WP_Error A JSON object on success or WP_Error on failures
1036
	 **/
1037
	protected function validate_remote_register_response( $response ) {
1038
		if ( is_wp_error( $response ) ) {
1039
			return new \WP_Error(
1040
				'register_http_request_failed',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'register_http_request_failed'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1041
				$response->get_error_message()
1042
			);
1043
		}
1044
1045
		$code   = wp_remote_retrieve_response_code( $response );
1046
		$entity = wp_remote_retrieve_body( $response );
1047
1048
		if ( $entity ) {
1049
			$registration_response = json_decode( $entity );
1050
		} else {
1051
			$registration_response = false;
1052
		}
1053
1054
		$code_type = (int) ( $code / 100 );
1055
		if ( 5 === $code_type ) {
1056
			return new \WP_Error( 'wpcom_5??', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'wpcom_5??'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1057
		} elseif ( 408 === $code ) {
1058
			return new \WP_Error( 'wpcom_408', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'wpcom_408'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1059
		} elseif ( ! empty( $registration_response->error ) ) {
1060
			if (
1061
				'xml_rpc-32700' === $registration_response->error
1062
				&& ! function_exists( 'xml_parser_create' )
1063
			) {
1064
				$error_description = __( "PHP's XML extension is not available. Jetpack requires the XML extension to communicate with WordPress.com. Please contact your hosting provider to enable PHP's XML extension.", 'jetpack' );
1065
			} else {
1066
				$error_description = isset( $registration_response->error_description )
1067
					? (string) $registration_response->error_description
1068
					: '';
1069
			}
1070
1071
			return new \WP_Error(
1072
				(string) $registration_response->error,
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with (string) $registration_response->error.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1073
				$error_description,
1074
				$code
1075
			);
1076
		} elseif ( 200 !== $code ) {
1077
			return new \WP_Error( 'wpcom_bad_response', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'wpcom_bad_response'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1078
		}
1079
1080
		// Jetpack ID error block.
1081
		if ( empty( $registration_response->jetpack_id ) ) {
1082
			return new \WP_Error(
1083
				'jetpack_id',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'jetpack_id'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1084
				/* translators: %s is an error message string */
1085
				sprintf( __( 'Error Details: Jetpack ID is empty. Do not publicly post this error message! %s', 'jetpack' ), $entity ),
1086
				$entity
1087
			);
1088
		} elseif ( ! is_scalar( $registration_response->jetpack_id ) ) {
1089
			return new \WP_Error(
1090
				'jetpack_id',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'jetpack_id'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1091
				/* translators: %s is an error message string */
1092
				sprintf( __( 'Error Details: Jetpack ID is not a scalar. Do not publicly post this error message! %s', 'jetpack' ), $entity ),
1093
				$entity
1094
			);
1095 View Code Duplication
		} elseif ( preg_match( '/[^0-9]/', $registration_response->jetpack_id ) ) {
1096
			return new \WP_Error(
1097
				'jetpack_id',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'jetpack_id'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1098
				/* translators: %s is an error message string */
1099
				sprintf( __( 'Error Details: Jetpack ID begins with a numeral. Do not publicly post this error message! %s', 'jetpack' ), $entity ),
1100
				$entity
1101
			);
1102
		}
1103
1104
		return $registration_response;
1105
	}
1106
1107
	/**
1108
	 * Adds a used nonce to a list of known nonces.
1109
	 *
1110
	 * @param int    $timestamp the current request timestamp.
1111
	 * @param string $nonce the nonce value.
1112
	 * @return bool whether the nonce is unique or not.
1113
	 */
1114
	public function add_nonce( $timestamp, $nonce ) {
1115
		global $wpdb;
1116
		static $nonces_used_this_request = array();
1117
1118
		if ( isset( $nonces_used_this_request[ "$timestamp:$nonce" ] ) ) {
1119
			return $nonces_used_this_request[ "$timestamp:$nonce" ];
1120
		}
1121
1122
		// This should always have gone through Jetpack_Signature::sign_request() first to check $timestamp an $nonce.
1123
		$timestamp = (int) $timestamp;
1124
		$nonce     = esc_sql( $nonce );
1125
1126
		// Raw query so we can avoid races: add_option will also update.
1127
		$show_errors = $wpdb->show_errors( false );
1128
1129
		$old_nonce = $wpdb->get_row(
1130
			$wpdb->prepare( "SELECT * FROM `$wpdb->options` WHERE option_name = %s", "jetpack_nonce_{$timestamp}_{$nonce}" )
1131
		);
1132
1133
		if ( is_null( $old_nonce ) ) {
1134
			$return = $wpdb->query(
1135
				$wpdb->prepare(
1136
					"INSERT INTO `$wpdb->options` (`option_name`, `option_value`, `autoload`) VALUES (%s, %s, %s)",
1137
					"jetpack_nonce_{$timestamp}_{$nonce}",
1138
					time(),
1139
					'no'
1140
				)
1141
			);
1142
		} else {
1143
			$return = false;
1144
		}
1145
1146
		$wpdb->show_errors( $show_errors );
1147
1148
		$nonces_used_this_request[ "$timestamp:$nonce" ] = $return;
1149
1150
		return $return;
1151
	}
1152
1153
	/**
1154
	 * Cleans nonces that were saved when calling ::add_nonce.
1155
	 *
1156
	 * @todo Properly prepare the query before executing it.
1157
	 *
1158
	 * @param bool $all whether to clean even non-expired nonces.
1159
	 */
1160
	public function clean_nonces( $all = false ) {
1161
		global $wpdb;
1162
1163
		$sql      = "DELETE FROM `$wpdb->options` WHERE `option_name` LIKE %s";
1164
		$sql_args = array( $wpdb->esc_like( 'jetpack_nonce_' ) . '%' );
1165
1166
		if ( true !== $all ) {
1167
			$sql       .= ' AND CAST( `option_value` AS UNSIGNED ) < %d';
1168
			$sql_args[] = time() - 3600;
1169
		}
1170
1171
		$sql .= ' ORDER BY `option_id` LIMIT 100';
1172
1173
		$sql = $wpdb->prepare( $sql, $sql_args ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
1174
1175
		for ( $i = 0; $i < 1000; $i++ ) {
1176
			if ( ! $wpdb->query( $sql ) ) { // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
1177
				break;
1178
			}
1179
		}
1180
	}
1181
1182
	/**
1183
	 * Sets the Connection custom capabilities.
1184
	 *
1185
	 * @param string[] $caps    Array of the user's capabilities.
1186
	 * @param string   $cap     Capability name.
1187
	 * @param int      $user_id The user ID.
1188
	 * @param array    $args    Adds the context to the cap. Typically the object ID.
1189
	 */
1190
	public function jetpack_connection_custom_caps( $caps, $cap, $user_id, $args ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
1191
		$is_offline_mode = ( new Status() )->is_offline_mode();
1192
		switch ( $cap ) {
1193
			case 'jetpack_connect':
1194
			case 'jetpack_reconnect':
1195
				if ( $is_offline_mode ) {
1196
					$caps = array( 'do_not_allow' );
1197
					break;
1198
				}
1199
				// Pass through. If it's not offline mode, these should match disconnect.
1200
				// Let users disconnect if it's offline mode, just in case things glitch.
1201
			case 'jetpack_disconnect':
1202
				/**
1203
				 * Filters the jetpack_disconnect capability.
1204
				 *
1205
				 * @since 8.7.0
1206
				 *
1207
				 * @param array An array containing the capability name.
1208
				 */
1209
				$caps = apply_filters( 'jetpack_disconnect_cap', array( 'manage_options' ) );
1210
				break;
1211
			case 'jetpack_connect_user':
1212
				if ( $is_offline_mode ) {
1213
					$caps = array( 'do_not_allow' );
1214
					break;
1215
				}
1216
				$caps = array( 'read' );
1217
				break;
1218
		}
1219
		return $caps;
1220
	}
1221
1222
	/**
1223
	 * Builds the timeout limit for queries talking with the wpcom servers.
1224
	 *
1225
	 * Based on local php max_execution_time in php.ini
1226
	 *
1227
	 * @since 5.4
1228
	 * @return int
1229
	 **/
1230
	public function get_max_execution_time() {
1231
		$timeout = (int) ini_get( 'max_execution_time' );
1232
1233
		// Ensure exec time set in php.ini.
1234
		if ( ! $timeout ) {
1235
			$timeout = 30;
1236
		}
1237
		return $timeout;
1238
	}
1239
1240
	/**
1241
	 * Sets a minimum request timeout, and returns the current timeout
1242
	 *
1243
	 * @since 5.4
1244
	 * @param Integer $min_timeout the minimum timeout value.
1245
	 **/
1246 View Code Duplication
	public function set_min_time_limit( $min_timeout ) {
1247
		$timeout = $this->get_max_execution_time();
1248
		if ( $timeout < $min_timeout ) {
1249
			$timeout = $min_timeout;
1250
			set_time_limit( $timeout );
1251
		}
1252
		return $timeout;
1253
	}
1254
1255
	/**
1256
	 * Get our assumed site creation date.
1257
	 * Calculated based on the earlier date of either:
1258
	 * - Earliest admin user registration date.
1259
	 * - Earliest date of post of any post type.
1260
	 *
1261
	 * @since 7.2.0
1262
	 *
1263
	 * @return string Assumed site creation date and time.
1264
	 */
1265
	public function get_assumed_site_creation_date() {
1266
		$cached_date = get_transient( 'jetpack_assumed_site_creation_date' );
1267
		if ( ! empty( $cached_date ) ) {
1268
			return $cached_date;
1269
		}
1270
1271
		$earliest_registered_users  = get_users(
1272
			array(
1273
				'role'    => 'administrator',
1274
				'orderby' => 'user_registered',
1275
				'order'   => 'ASC',
1276
				'fields'  => array( 'user_registered' ),
1277
				'number'  => 1,
1278
			)
1279
		);
1280
		$earliest_registration_date = $earliest_registered_users[0]->user_registered;
1281
1282
		$earliest_posts = get_posts(
1283
			array(
1284
				'posts_per_page' => 1,
1285
				'post_type'      => 'any',
1286
				'post_status'    => 'any',
1287
				'orderby'        => 'date',
1288
				'order'          => 'ASC',
1289
			)
1290
		);
1291
1292
		// If there are no posts at all, we'll count only on user registration date.
1293
		if ( $earliest_posts ) {
1294
			$earliest_post_date = $earliest_posts[0]->post_date;
1295
		} else {
1296
			$earliest_post_date = PHP_INT_MAX;
1297
		}
1298
1299
		$assumed_date = min( $earliest_registration_date, $earliest_post_date );
1300
		set_transient( 'jetpack_assumed_site_creation_date', $assumed_date );
1301
1302
		return $assumed_date;
1303
	}
1304
1305
	/**
1306
	 * Adds the activation source string as a parameter to passed arguments.
1307
	 *
1308
	 * @todo Refactor to use rawurlencode() instead of urlencode().
1309
	 *
1310
	 * @param array $args arguments that need to have the source added.
1311
	 * @return array $amended arguments.
1312
	 */
1313 View Code Duplication
	public static function apply_activation_source_to_args( $args ) {
1314
		list( $activation_source_name, $activation_source_keyword ) = get_option( 'jetpack_activation_source' );
1315
1316
		if ( $activation_source_name ) {
1317
			// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.urlencode_urlencode
1318
			$args['_as'] = urlencode( $activation_source_name );
1319
		}
1320
1321
		if ( $activation_source_keyword ) {
1322
			// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.urlencode_urlencode
1323
			$args['_ak'] = urlencode( $activation_source_keyword );
1324
		}
1325
1326
		return $args;
1327
	}
1328
1329
	/**
1330
	 * Returns the callable that would be used to generate secrets.
1331
	 *
1332
	 * @return Callable a function that returns a secure string to be used as a secret.
1333
	 */
1334
	protected function get_secret_callable() {
1335
		if ( ! isset( $this->secret_callable ) ) {
1336
			/**
1337
			 * Allows modification of the callable that is used to generate connection secrets.
1338
			 *
1339
			 * @param Callable a function or method that returns a secret string.
1340
			 */
1341
			$this->secret_callable = apply_filters( 'jetpack_connection_secret_generator', array( $this, 'secret_callable_method' ) );
1342
		}
1343
1344
		return $this->secret_callable;
1345
	}
1346
1347
	/**
1348
	 * Runs the wp_generate_password function with the required parameters. This is the
1349
	 * default implementation of the secret callable, can be overridden using the
1350
	 * jetpack_connection_secret_generator filter.
1351
	 *
1352
	 * @return String $secret value.
1353
	 */
1354
	private function secret_callable_method() {
1355
		return wp_generate_password( 32, false );
1356
	}
1357
1358
	/**
1359
	 * Generates two secret tokens and the end of life timestamp for them.
1360
	 *
1361
	 * @param String  $action  The action name.
1362
	 * @param Integer $user_id The user identifier.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $user_id not be false|integer?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
1363
	 * @param Integer $exp     Expiration time in seconds.
1364
	 */
1365
	public function generate_secrets( $action, $user_id = false, $exp = 600 ) {
1366
		if ( false === $user_id ) {
1367
			$user_id = get_current_user_id();
1368
		}
1369
1370
		$callable = $this->get_secret_callable();
1371
1372
		$secrets = \Jetpack_Options::get_raw_option(
1373
			self::SECRETS_OPTION_NAME,
1374
			array()
1375
		);
1376
1377
		$secret_name = 'jetpack_' . $action . '_' . $user_id;
1378
1379
		if (
1380
			isset( $secrets[ $secret_name ] ) &&
1381
			$secrets[ $secret_name ]['exp'] > time()
1382
		) {
1383
			return $secrets[ $secret_name ];
1384
		}
1385
1386
		$secret_value = array(
1387
			'secret_1' => call_user_func( $callable ),
1388
			'secret_2' => call_user_func( $callable ),
1389
			'exp'      => time() + $exp,
1390
		);
1391
1392
		$secrets[ $secret_name ] = $secret_value;
1393
1394
		$res = Jetpack_Options::update_raw_option( self::SECRETS_OPTION_NAME, $secrets );
1395
		return $res ? $secrets[ $secret_name ] : false;
1396
	}
1397
1398
	/**
1399
	 * Returns two secret tokens and the end of life timestamp for them.
1400
	 *
1401
	 * @param String  $action  The action name.
1402
	 * @param Integer $user_id The user identifier.
1403
	 * @return string|array an array of secrets or an error string.
1404
	 */
1405
	public function get_secrets( $action, $user_id ) {
1406
		$secret_name = 'jetpack_' . $action . '_' . $user_id;
1407
		$secrets     = \Jetpack_Options::get_raw_option(
1408
			self::SECRETS_OPTION_NAME,
1409
			array()
1410
		);
1411
1412
		if ( ! isset( $secrets[ $secret_name ] ) ) {
1413
			return self::SECRETS_MISSING;
1414
		}
1415
1416
		if ( $secrets[ $secret_name ]['exp'] < time() ) {
1417
			$this->delete_secrets( $action, $user_id );
1418
			return self::SECRETS_EXPIRED;
1419
		}
1420
1421
		return $secrets[ $secret_name ];
1422
	}
1423
1424
	/**
1425
	 * Deletes secret tokens in case they, for example, have expired.
1426
	 *
1427
	 * @param String  $action  The action name.
1428
	 * @param Integer $user_id The user identifier.
1429
	 */
1430
	public function delete_secrets( $action, $user_id ) {
1431
		$secret_name = 'jetpack_' . $action . '_' . $user_id;
1432
		$secrets     = \Jetpack_Options::get_raw_option(
1433
			self::SECRETS_OPTION_NAME,
1434
			array()
1435
		);
1436
		if ( isset( $secrets[ $secret_name ] ) ) {
1437
			unset( $secrets[ $secret_name ] );
1438
			\Jetpack_Options::update_raw_option( self::SECRETS_OPTION_NAME, $secrets );
1439
		}
1440
	}
1441
1442
	/**
1443
	 * Deletes all connection tokens and transients from the local Jetpack site.
1444
	 * If the plugin object has been provided in the constructor, the function first checks
1445
	 * whether it's the only active connection.
1446
	 * If there are any other connections, the function will do nothing and return `false`
1447
	 * (unless `$ignore_connected_plugins` is set to `true`).
1448
	 *
1449
	 * @param bool $ignore_connected_plugins Delete the tokens even if there are other connected plugins.
1450
	 *
1451
	 * @return bool True if disconnected successfully, false otherwise.
1452
	 */
1453
	public function delete_all_connection_tokens( $ignore_connected_plugins = false ) {
1454 View Code Duplication
		if ( ! $ignore_connected_plugins && null !== $this->plugin && ! $this->plugin->is_only() ) {
1455
			return false;
1456
		}
1457
1458
		/**
1459
		 * Fires upon the disconnect attempt.
1460
		 * Return `false` to prevent the disconnect.
1461
		 *
1462
		 * @since 8.7.0
1463
		 */
1464
		if ( ! apply_filters( 'jetpack_connection_delete_all_tokens', true, $this ) ) {
0 ignored issues
show
Unused Code introduced by
The call to apply_filters() has too many arguments starting with $this.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1465
			return false;
1466
		}
1467
1468
		\Jetpack_Options::delete_option(
1469
			array(
1470
				'blog_token',
1471
				'user_token',
1472
				'user_tokens',
1473
				'master_user',
1474
				'time_diff',
1475
				'fallback_no_verify_ssl_certs',
1476
			)
1477
		);
1478
1479
		\Jetpack_Options::delete_raw_option( 'jetpack_secrets' );
1480
1481
		// Delete cached connected user data.
1482
		$transient_key = 'jetpack_connected_user_data_' . get_current_user_id();
1483
		delete_transient( $transient_key );
1484
1485
		// Delete all XML-RPC errors.
1486
		Error_Handler::get_instance()->delete_all_errors();
1487
1488
		return true;
1489
	}
1490
1491
	/**
1492
	 * Tells WordPress.com to disconnect the site and clear all tokens from cached site.
1493
	 * If the plugin object has been provided in the constructor, the function first check
1494
	 * whether it's the only active connection.
1495
	 * If there are any other connections, the function will do nothing and return `false`
1496
	 * (unless `$ignore_connected_plugins` is set to `true`).
1497
	 *
1498
	 * @param bool $ignore_connected_plugins Delete the tokens even if there are other connected plugins.
1499
	 *
1500
	 * @return bool True if disconnected successfully, false otherwise.
1501
	 */
1502
	public function disconnect_site_wpcom( $ignore_connected_plugins = false ) {
1503 View Code Duplication
		if ( ! $ignore_connected_plugins && null !== $this->plugin && ! $this->plugin->is_only() ) {
1504
			return false;
1505
		}
1506
1507
		/**
1508
		 * Fires upon the disconnect attempt.
1509
		 * Return `false` to prevent the disconnect.
1510
		 *
1511
		 * @since 8.7.0
1512
		 */
1513
		if ( ! apply_filters( 'jetpack_connection_disconnect_site_wpcom', true, $this ) ) {
0 ignored issues
show
Unused Code introduced by
The call to apply_filters() has too many arguments starting with $this.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1514
			return false;
1515
		}
1516
1517
		$xml = new \Jetpack_IXR_Client();
1518
		$xml->query( 'jetpack.deregister', get_current_user_id() );
1519
1520
		return true;
1521
	}
1522
1523
	/**
1524
	 * Disconnect the plugin and remove the tokens.
1525
	 * This function will automatically perform "soft" or "hard" disconnect depending on whether other plugins are using the connection.
1526
	 * This is a proxy method to simplify the Connection package API.
1527
	 *
1528
	 * @see Manager::disable_plugin()
1529
	 * @see Manager::disconnect_site_wpcom()
1530
	 * @see Manager::delete_all_connection_tokens()
1531
	 *
1532
	 * @return bool
1533
	 */
1534
	public function remove_connection() {
1535
		$this->disable_plugin();
1536
		$this->disconnect_site_wpcom();
1537
		$this->delete_all_connection_tokens();
1538
1539
		return true;
1540
	}
1541
1542
	/**
1543
	 * Completely clearing up the connection, and initiating reconnect.
1544
	 *
1545
	 * @return true|WP_Error True if reconnected successfully, a `WP_Error` object otherwise.
1546
	 */
1547
	public function reconnect() {
1548
		( new Tracking() )->record_user_event( 'restore_connection_reconnect' );
1549
1550
		$this->disconnect_site_wpcom( true );
1551
		$this->delete_all_connection_tokens( true );
1552
1553
		return $this->register();
1554
	}
1555
1556
	/**
1557
	 * Validate the tokens, and refresh the invalid ones.
1558
	 *
1559
	 * @return string|true|WP_Error True if connection restored or string indicating what's to be done next. A `WP_Error` object otherwise.
1560
	 */
1561
	public function restore() {
1562
		$invalid_tokens = array();
1563
		$can_restore    = $this->can_restore( $invalid_tokens );
1564
1565
		// Tokens are valid. We can't fix the problem we don't see, so the full reconnection is needed.
1566
		if ( ! $can_restore ) {
1567
			$result = $this->reconnect();
1568
			return true === $result ? 'authorize' : $result;
1569
		}
1570
1571
		if ( in_array( 'blog', $invalid_tokens, true ) ) {
1572
			return self::refresh_blog_token();
1573
		}
1574
1575
		if ( in_array( 'user', $invalid_tokens, true ) ) {
1576
			return true === self::refresh_user_token() ? 'authorize' : false;
1577
		}
1578
1579
		return false;
1580
	}
1581
1582
	/**
1583
	 * Determine whether we can restore the connection, or the full reconnect is needed.
1584
	 *
1585
	 * @param array $invalid_tokens The array the invalid tokens are stored in, provided by reference.
1586
	 *
1587
	 * @return bool `True` if the connection can be restored, `false` otherwise.
1588
	 */
1589
	public function can_restore( &$invalid_tokens ) {
1590
		$invalid_tokens = array();
1591
1592
		$validated_tokens = $this->validate_tokens();
1593
1594
		if ( ! is_array( $validated_tokens ) || count( array_diff_key( array_flip( array( 'blog_token', 'user_token' ) ), $validated_tokens ) ) ) {
1595
			return false;
1596
		}
1597
1598
		if ( empty( $validated_tokens['blog_token']['is_healthy'] ) ) {
1599
			$invalid_tokens[] = 'blog';
1600
		}
1601
1602
		if ( empty( $validated_tokens['user_token']['is_healthy'] ) ) {
1603
			$invalid_tokens[] = 'user';
1604
		}
1605
1606
		// If both tokens are invalid, we can't restore the connection.
1607
		return 1 === count( $invalid_tokens );
1608
	}
1609
1610
	/**
1611
	 * Perform the API request to validate the blog and user tokens.
1612
	 *
1613
	 * @param int|null $user_id ID of the user we need to validate token for. Current user's ID by default.
1614
	 *
1615
	 * @return array|false|WP_Error The API response: `array( 'blog_token_is_healthy' => true|false, 'user_token_is_healthy' => true|false )`.
1616
	 */
1617
	public function validate_tokens( $user_id = null ) {
1618
		$blog_id = Jetpack_Options::get_option( 'id' );
1619
		if ( ! $blog_id ) {
1620
			return new WP_Error( 'site_not_registered', 'Site not registered.' );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'site_not_registered'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1621
		}
1622
		$url = sprintf(
1623
			'%s/%s/v%s/%s',
1624
			Constants::get_constant( 'JETPACK__WPCOM_JSON_API_BASE' ),
1625
			'wpcom',
1626
			'2',
1627
			'sites/' . $blog_id . '/jetpack-token-health'
1628
		);
1629
1630
		$user_token = $this->get_access_token( $user_id ? $user_id : get_current_user_id() );
1631
		$blog_token = $this->get_access_token();
1632
		$method     = 'POST';
1633
		$body       = array(
1634
			'user_token' => $this->get_signed_token( $user_token ),
0 ignored issues
show
Security Bug introduced by
It seems like $user_token defined by $this->get_access_token(... get_current_user_id()) on line 1630 can also be of type false; however, Automattic\Jetpack\Conne...ger::get_signed_token() does only seem to accept object, did you maybe forget to handle an error condition?

This check looks for type mismatches where the missing type is false. This is usually indicative of an error condtion.

Consider the follow example

<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}

This function either returns a new DateTime object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned false before passing on the value to another function or method that may not be able to handle a false.

Loading history...
1635
			'blog_token' => $this->get_signed_token( $blog_token ),
0 ignored issues
show
Security Bug introduced by
It seems like $blog_token defined by $this->get_access_token() on line 1631 can also be of type false; however, Automattic\Jetpack\Conne...ger::get_signed_token() does only seem to accept object, did you maybe forget to handle an error condition?

This check looks for type mismatches where the missing type is false. This is usually indicative of an error condtion.

Consider the follow example

<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}

This function either returns a new DateTime object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned false before passing on the value to another function or method that may not be able to handle a false.

Loading history...
1636
		);
1637
		$response   = Client::_wp_remote_request( $url, compact( 'body', 'method' ) );
1638
1639
		if ( is_wp_error( $response ) || ! wp_remote_retrieve_body( $response ) || 200 !== wp_remote_retrieve_response_code( $response ) ) {
1640
			return false;
1641
		}
1642
1643
		$body = json_decode( wp_remote_retrieve_body( $response ), true );
1644
1645
		return $body ? $body : false;
1646
	}
1647
1648
	/**
1649
	 * Responds to a WordPress.com call to register the current site.
1650
	 * Should be changed to protected.
1651
	 *
1652
	 * @param array $registration_data Array of [ secret_1, user_id ].
1653
	 */
1654
	public function handle_registration( array $registration_data ) {
1655
		list( $registration_secret_1, $registration_user_id ) = $registration_data;
1656
		if ( empty( $registration_user_id ) ) {
1657
			return new \WP_Error( 'registration_state_invalid', __( 'Invalid Registration State', 'jetpack' ), 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'registration_state_invalid'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1658
		}
1659
1660
		return $this->verify_secrets( 'register', $registration_secret_1, (int) $registration_user_id );
1661
	}
1662
1663
	/**
1664
	 * Verify a Previously Generated Secret.
1665
	 *
1666
	 * @param string $action   The type of secret to verify.
1667
	 * @param string $secret_1 The secret string to compare to what is stored.
1668
	 * @param int    $user_id  The user ID of the owner of the secret.
1669
	 * @return \WP_Error|string WP_Error on failure, secret_2 on success.
1670
	 */
1671
	public function verify_secrets( $action, $secret_1, $user_id ) {
1672
		$allowed_actions = array( 'register', 'authorize', 'publicize' );
1673
		if ( ! in_array( $action, $allowed_actions, true ) ) {
1674
			return new \WP_Error( 'unknown_verification_action', 'Unknown Verification Action', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'unknown_verification_action'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1675
		}
1676
1677
		$user = get_user_by( 'id', $user_id );
1678
1679
		/**
1680
		 * We've begun verifying the previously generated secret.
1681
		 *
1682
		 * @since 7.5.0
1683
		 *
1684
		 * @param string   $action The type of secret to verify.
1685
		 * @param \WP_User $user The user object.
1686
		 */
1687
		do_action( 'jetpack_verify_secrets_begin', $action, $user );
1688
1689
		$return_error = function ( \WP_Error $error ) use ( $action, $user ) {
1690
			/**
1691
			 * Verifying of the previously generated secret has failed.
1692
			 *
1693
			 * @since 7.5.0
1694
			 *
1695
			 * @param string    $action  The type of secret to verify.
1696
			 * @param \WP_User  $user The user object.
1697
			 * @param \WP_Error $error The error object.
1698
			 */
1699
			do_action( 'jetpack_verify_secrets_fail', $action, $user, $error );
1700
1701
			return $error;
1702
		};
1703
1704
		$stored_secrets = $this->get_secrets( $action, $user_id );
1705
		$this->delete_secrets( $action, $user_id );
1706
1707
		$error = null;
1708
		if ( empty( $secret_1 ) ) {
1709
			$error = $return_error(
1710
				new \WP_Error(
1711
					'verify_secret_1_missing',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secret_1_missing'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1712
					/* translators: "%s" is the name of a paramter. It can be either "secret_1" or "state". */
1713
					sprintf( __( 'The required "%s" parameter is missing.', 'jetpack' ), 'secret_1' ),
1714
					400
1715
				)
1716
			);
1717
		} elseif ( ! is_string( $secret_1 ) ) {
1718
			$error = $return_error(
1719
				new \WP_Error(
1720
					'verify_secret_1_malformed',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secret_1_malformed'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1721
					/* translators: "%s" is the name of a paramter. It can be either "secret_1" or "state". */
1722
					sprintf( __( 'The required "%s" parameter is malformed.', 'jetpack' ), 'secret_1' ),
1723
					400
1724
				)
1725
			);
1726
		} elseif ( empty( $user_id ) ) {
1727
			// $user_id is passed around during registration as "state".
1728
			$error = $return_error(
1729
				new \WP_Error(
1730
					'state_missing',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'state_missing'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1731
					/* translators: "%s" is the name of a paramter. It can be either "secret_1" or "state". */
1732
					sprintf( __( 'The required "%s" parameter is missing.', 'jetpack' ), 'state' ),
1733
					400
1734
				)
1735
			);
1736
		} elseif ( ! ctype_digit( (string) $user_id ) ) {
1737
			$error = $return_error(
1738
				new \WP_Error(
1739
					'state_malformed',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'state_malformed'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1740
					/* translators: "%s" is the name of a paramter. It can be either "secret_1" or "state". */
1741
					sprintf( __( 'The required "%s" parameter is malformed.', 'jetpack' ), 'state' ),
1742
					400
1743
				)
1744
			);
1745
		} elseif ( self::SECRETS_MISSING === $stored_secrets ) {
1746
			$error = $return_error(
1747
				new \WP_Error(
1748
					'verify_secrets_missing',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secrets_missing'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1749
					__( 'Verification secrets not found', 'jetpack' ),
1750
					400
1751
				)
1752
			);
1753
		} elseif ( self::SECRETS_EXPIRED === $stored_secrets ) {
1754
			$error = $return_error(
1755
				new \WP_Error(
1756
					'verify_secrets_expired',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secrets_expired'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1757
					__( 'Verification took too long', 'jetpack' ),
1758
					400
1759
				)
1760
			);
1761
		} elseif ( ! $stored_secrets ) {
1762
			$error = $return_error(
1763
				new \WP_Error(
1764
					'verify_secrets_empty',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secrets_empty'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1765
					__( 'Verification secrets are empty', 'jetpack' ),
1766
					400
1767
				)
1768
			);
1769
		} elseif ( is_wp_error( $stored_secrets ) ) {
1770
			$stored_secrets->add_data( 400 );
0 ignored issues
show
Bug introduced by
The method add_data cannot be called on $stored_secrets (of type string|array).

Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects.

Loading history...
1771
			$error = $return_error( $stored_secrets );
1772
		} elseif ( empty( $stored_secrets['secret_1'] ) || empty( $stored_secrets['secret_2'] ) || empty( $stored_secrets['exp'] ) ) {
1773
			$error = $return_error(
1774
				new \WP_Error(
1775
					'verify_secrets_incomplete',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secrets_incomplete'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1776
					__( 'Verification secrets are incomplete', 'jetpack' ),
1777
					400
1778
				)
1779
			);
1780
		} elseif ( ! hash_equals( $secret_1, $stored_secrets['secret_1'] ) ) {
1781
			$error = $return_error(
1782
				new \WP_Error(
1783
					'verify_secrets_mismatch',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'verify_secrets_mismatch'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1784
					__( 'Secret mismatch', 'jetpack' ),
1785
					400
1786
				)
1787
			);
1788
		}
1789
1790
		// Something went wrong during the checks, returning the error.
1791
		if ( ! empty( $error ) ) {
1792
			return $error;
1793
		}
1794
1795
		/**
1796
		 * We've succeeded at verifying the previously generated secret.
1797
		 *
1798
		 * @since 7.5.0
1799
		 *
1800
		 * @param string   $action The type of secret to verify.
1801
		 * @param \WP_User $user The user object.
1802
		 */
1803
		do_action( 'jetpack_verify_secrets_success', $action, $user );
1804
1805
		return $stored_secrets['secret_2'];
1806
	}
1807
1808
	/**
1809
	 * Responds to a WordPress.com call to authorize the current user.
1810
	 * Should be changed to protected.
1811
	 */
1812
	public function handle_authorization() {
1813
1814
	}
1815
1816
	/**
1817
	 * Obtains the auth token.
1818
	 *
1819
	 * @param array $data The request data.
1820
	 * @return object|\WP_Error Returns the auth token on success.
1821
	 *                          Returns a \WP_Error on failure.
1822
	 */
1823
	public function get_token( $data ) {
1824
		$roles = new Roles();
1825
		$role  = $roles->translate_current_user_to_role();
1826
1827
		if ( ! $role ) {
1828
			return new \WP_Error( 'role', __( 'An administrator for this blog must set up the Jetpack connection.', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'role'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1829
		}
1830
1831
		$client_secret = $this->get_access_token();
1832
		if ( ! $client_secret ) {
1833
			return new \WP_Error( 'client_secret', __( 'You need to register your Jetpack before connecting it.', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'client_secret'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1834
		}
1835
1836
		/**
1837
		 * Filter the URL of the first time the user gets redirected back to your site for connection
1838
		 * data processing.
1839
		 *
1840
		 * @since 8.0.0
1841
		 *
1842
		 * @param string $redirect_url Defaults to the site admin URL.
1843
		 */
1844
		$processing_url = apply_filters( 'jetpack_token_processing_url', admin_url( 'admin.php' ) );
1845
1846
		$redirect = isset( $data['redirect'] ) ? esc_url_raw( (string) $data['redirect'] ) : '';
1847
1848
		/**
1849
		* Filter the URL to redirect the user back to when the authentication process
1850
		* is complete.
1851
		*
1852
		* @since 8.0.0
1853
		*
1854
		* @param string $redirect_url Defaults to the site URL.
1855
		*/
1856
		$redirect = apply_filters( 'jetpack_token_redirect_url', $redirect );
1857
1858
		$redirect_uri = ( 'calypso' === $data['auth_type'] )
1859
			? $data['redirect_uri']
1860
			: add_query_arg(
1861
				array(
1862
					'action'   => 'authorize',
1863
					'_wpnonce' => wp_create_nonce( "jetpack-authorize_{$role}_{$redirect}" ),
1864
					'redirect' => $redirect ? rawurlencode( $redirect ) : false,
1865
				),
1866
				esc_url( $processing_url )
1867
			);
1868
1869
		/**
1870
		 * Filters the token request data.
1871
		 *
1872
		 * @since 8.0.0
1873
		 *
1874
		 * @param array $request_data request data.
1875
		 */
1876
		$body = apply_filters(
1877
			'jetpack_token_request_body',
1878
			array(
1879
				'client_id'     => \Jetpack_Options::get_option( 'id' ),
1880
				'client_secret' => $client_secret->secret,
1881
				'grant_type'    => 'authorization_code',
1882
				'code'          => $data['code'],
1883
				'redirect_uri'  => $redirect_uri,
1884
			)
1885
		);
1886
1887
		$args = array(
1888
			'method'  => 'POST',
1889
			'body'    => $body,
1890
			'headers' => array(
1891
				'Accept' => 'application/json',
1892
			),
1893
		);
1894
1895
		add_filter( 'http_request_timeout', array( $this, 'increase_timeout' ), PHP_INT_MAX - 1 );
1896
		$response = Client::_wp_remote_request( $this->api_url( 'token' ), $args );
1897
		remove_filter( 'http_request_timeout', array( $this, 'increase_timeout' ), PHP_INT_MAX - 1 );
1898
1899
		if ( is_wp_error( $response ) ) {
1900
			return new \WP_Error( 'token_http_request_failed', $response->get_error_message() );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'token_http_request_failed'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1901
		}
1902
1903
		$code   = wp_remote_retrieve_response_code( $response );
1904
		$entity = wp_remote_retrieve_body( $response );
1905
1906
		if ( $entity ) {
1907
			$json = json_decode( $entity );
1908
		} else {
1909
			$json = false;
1910
		}
1911
1912 View Code Duplication
		if ( 200 !== $code || ! empty( $json->error ) ) {
1913
			if ( empty( $json->error ) ) {
1914
				return new \WP_Error( 'unknown', '', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'unknown'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1915
			}
1916
1917
			/* translators: Error description string. */
1918
			$error_description = isset( $json->error_description ) ? sprintf( __( 'Error Details: %s', 'jetpack' ), (string) $json->error_description ) : '';
1919
1920
			return new \WP_Error( (string) $json->error, $error_description, $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with (string) $json->error.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1921
		}
1922
1923
		if ( empty( $json->access_token ) || ! is_scalar( $json->access_token ) ) {
1924
			return new \WP_Error( 'access_token', '', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'access_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1925
		}
1926
1927
		if ( empty( $json->token_type ) || 'X_JETPACK' !== strtoupper( $json->token_type ) ) {
1928
			return new \WP_Error( 'token_type', '', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'token_type'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1929
		}
1930
1931
		if ( empty( $json->scope ) ) {
1932
			return new \WP_Error( 'scope', 'No Scope', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'scope'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1933
		}
1934
1935
		// TODO: get rid of the error silencer.
1936
		// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
1937
		@list( $role, $hmac ) = explode( ':', $json->scope );
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended.

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
1938
		if ( empty( $role ) || empty( $hmac ) ) {
1939
			return new \WP_Error( 'scope', 'Malformed Scope', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'scope'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1940
		}
1941
1942
		if ( $this->sign_role( $role ) !== $json->scope ) {
1943
			return new \WP_Error( 'scope', 'Invalid Scope', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'scope'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1944
		}
1945
1946
		$cap = $roles->translate_role_to_cap( $role );
1947
		if ( ! $cap ) {
1948
			return new \WP_Error( 'scope', 'No Cap', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'scope'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1949
		}
1950
1951
		if ( ! current_user_can( $cap ) ) {
1952
			return new \WP_Error( 'scope', 'current_user_cannot', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'scope'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
1953
		}
1954
1955
		return (string) $json->access_token;
1956
	}
1957
1958
	/**
1959
	 * Increases the request timeout value to 30 seconds.
1960
	 *
1961
	 * @return int Returns 30.
1962
	 */
1963
	public function increase_timeout() {
1964
		return 30;
1965
	}
1966
1967
	/**
1968
	 * Builds a URL to the Jetpack connection auth page.
1969
	 *
1970
	 * @param WP_User $user (optional) defaults to the current logged in user.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $user not be WP_User|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
1971
	 * @param String  $redirect (optional) a redirect URL to use instead of the default.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $redirect not be string|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
1972
	 * @return string Connect URL.
1973
	 */
1974
	public function get_authorization_url( $user = null, $redirect = null ) {
1975
1976
		if ( empty( $user ) ) {
1977
			$user = wp_get_current_user();
1978
		}
1979
1980
		$roles       = new Roles();
1981
		$role        = $roles->translate_user_to_role( $user );
1982
		$signed_role = $this->sign_role( $role );
1983
1984
		/**
1985
		 * Filter the URL of the first time the user gets redirected back to your site for connection
1986
		 * data processing.
1987
		 *
1988
		 * @since 8.0.0
1989
		 *
1990
		 * @param string $redirect_url Defaults to the site admin URL.
1991
		 */
1992
		$processing_url = apply_filters( 'jetpack_connect_processing_url', admin_url( 'admin.php' ) );
1993
1994
		/**
1995
		 * Filter the URL to redirect the user back to when the authorization process
1996
		 * is complete.
1997
		 *
1998
		 * @since 8.0.0
1999
		 *
2000
		 * @param string $redirect_url Defaults to the site URL.
2001
		 */
2002
		$redirect = apply_filters( 'jetpack_connect_redirect_url', $redirect );
2003
2004
		$secrets = $this->generate_secrets( 'authorize', $user->ID, 2 * HOUR_IN_SECONDS );
2005
2006
		/**
2007
		 * Filter the type of authorization.
2008
		 * 'calypso' completes authorization on wordpress.com/jetpack/connect
2009
		 * while 'jetpack' ( or any other value ) completes the authorization at jetpack.wordpress.com.
2010
		 *
2011
		 * @since 4.3.3
2012
		 *
2013
		 * @param string $auth_type Defaults to 'calypso', can also be 'jetpack'.
2014
		 */
2015
		$auth_type = apply_filters( 'jetpack_auth_type', 'calypso' );
2016
2017
		/**
2018
		 * Filters the user connection request data for additional property addition.
2019
		 *
2020
		 * @since 8.0.0
2021
		 *
2022
		 * @param array $request_data request data.
2023
		 */
2024
		$body = apply_filters(
2025
			'jetpack_connect_request_body',
2026
			array(
2027
				'response_type' => 'code',
2028
				'client_id'     => \Jetpack_Options::get_option( 'id' ),
2029
				'redirect_uri'  => add_query_arg(
2030
					array(
2031
						'action'   => 'authorize',
2032
						'_wpnonce' => wp_create_nonce( "jetpack-authorize_{$role}_{$redirect}" ),
2033
						'redirect' => rawurlencode( $redirect ),
2034
					),
2035
					esc_url( $processing_url )
2036
				),
2037
				'state'         => $user->ID,
2038
				'scope'         => $signed_role,
2039
				'user_email'    => $user->user_email,
2040
				'user_login'    => $user->user_login,
2041
				'is_active'     => $this->is_active(),
2042
				'jp_version'    => Constants::get_constant( 'JETPACK__VERSION' ),
2043
				'auth_type'     => $auth_type,
2044
				'secret'        => $secrets['secret_1'],
2045
				'blogname'      => get_option( 'blogname' ),
2046
				'site_url'      => site_url(),
2047
				'home_url'      => home_url(),
2048
				'site_icon'     => get_site_icon_url(),
2049
				'site_lang'     => get_locale(),
2050
				'site_created'  => $this->get_assumed_site_creation_date(),
2051
			)
2052
		);
2053
2054
		$body = $this->apply_activation_source_to_args( urlencode_deep( $body ) );
2055
2056
		$api_url = $this->api_url( 'authorize' );
2057
2058
		return add_query_arg( $body, $api_url );
2059
	}
2060
2061
	/**
2062
	 * Authorizes the user by obtaining and storing the user token.
2063
	 *
2064
	 * @param array $data The request data.
2065
	 * @return string|\WP_Error Returns a string on success.
2066
	 *                          Returns a \WP_Error on failure.
2067
	 */
2068
	public function authorize( $data = array() ) {
2069
		/**
2070
		 * Action fired when user authorization starts.
2071
		 *
2072
		 * @since 8.0.0
2073
		 */
2074
		do_action( 'jetpack_authorize_starting' );
2075
2076
		$roles = new Roles();
2077
		$role  = $roles->translate_current_user_to_role();
2078
2079
		if ( ! $role ) {
2080
			return new \WP_Error( 'no_role', 'Invalid request.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_role'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2081
		}
2082
2083
		$cap = $roles->translate_role_to_cap( $role );
2084
		if ( ! $cap ) {
2085
			return new \WP_Error( 'no_cap', 'Invalid request.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_cap'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2086
		}
2087
2088
		if ( ! empty( $data['error'] ) ) {
2089
			return new \WP_Error( $data['error'], 'Error included in the request.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with $data['error'].

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2090
		}
2091
2092
		if ( ! isset( $data['state'] ) ) {
2093
			return new \WP_Error( 'no_state', 'Request must include state.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_state'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2094
		}
2095
2096
		if ( ! ctype_digit( $data['state'] ) ) {
2097
			return new \WP_Error( $data['error'], 'State must be an integer.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with $data['error'].

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2098
		}
2099
2100
		$current_user_id = get_current_user_id();
2101
		if ( $current_user_id !== (int) $data['state'] ) {
2102
			return new \WP_Error( 'wrong_state', 'State does not match current user.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'wrong_state'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2103
		}
2104
2105
		if ( empty( $data['code'] ) ) {
2106
			return new \WP_Error( 'no_code', 'Request must include an authorization code.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_code'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2107
		}
2108
2109
		$token = $this->get_token( $data );
2110
2111 View Code Duplication
		if ( is_wp_error( $token ) ) {
2112
			$code = $token->get_error_code();
0 ignored issues
show
Bug introduced by
The method get_error_code() does not seem to exist on object<WP_Error>.

This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces.

This is most likely a typographical error or the method has been renamed.

Loading history...
2113
			if ( empty( $code ) ) {
2114
				$code = 'invalid_token';
2115
			}
2116
			return new \WP_Error( $code, $token->get_error_message(), 400 );
0 ignored issues
show
Bug introduced by
The method get_error_message() does not seem to exist on object<WP_Error>.

This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces.

This is most likely a typographical error or the method has been renamed.

Loading history...
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with $code.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2117
		}
2118
2119
		if ( ! $token ) {
2120
			return new \WP_Error( 'no_token', 'Error generating token.', 400 );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2121
		}
2122
2123
		$is_master_user = ! $this->is_active();
2124
2125
		Utils::update_user_token( $current_user_id, sprintf( '%s.%d', $token, $current_user_id ), $is_master_user );
2126
2127
		/**
2128
		 * Fires after user has successfully received an auth token.
2129
		 *
2130
		 * @since 3.9.0
2131
		 */
2132
		do_action( 'jetpack_user_authorized' );
2133
2134
		if ( ! $is_master_user ) {
2135
			/**
2136
			 * Action fired when a secondary user has been authorized.
2137
			 *
2138
			 * @since 8.0.0
2139
			 */
2140
			do_action( 'jetpack_authorize_ending_linked' );
2141
			return 'linked';
2142
		}
2143
2144
		/**
2145
		 * Action fired when the master user has been authorized.
2146
		 *
2147
		 * @since 8.0.0
2148
		 *
2149
		 * @param array $data The request data.
2150
		 */
2151
		do_action( 'jetpack_authorize_ending_authorized', $data );
2152
2153
		\Jetpack_Options::delete_raw_option( 'jetpack_last_connect_url_check' );
2154
2155
		// Start nonce cleaner.
2156
		wp_clear_scheduled_hook( 'jetpack_clean_nonces' );
2157
		wp_schedule_event( time(), 'hourly', 'jetpack_clean_nonces' );
2158
2159
		return 'authorized';
2160
	}
2161
2162
	/**
2163
	 * Disconnects from the Jetpack servers.
2164
	 * Forgets all connection details and tells the Jetpack servers to do the same.
2165
	 */
2166
	public function disconnect_site() {
2167
2168
	}
2169
2170
	/**
2171
	 * The Base64 Encoding of the SHA1 Hash of the Input.
2172
	 *
2173
	 * @param string $text The string to hash.
2174
	 * @return string
2175
	 */
2176
	public function sha1_base64( $text ) {
2177
		return base64_encode( sha1( $text, true ) ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
2178
	}
2179
2180
	/**
2181
	 * This function mirrors Jetpack_Data::is_usable_domain() in the WPCOM codebase.
2182
	 *
2183
	 * @param string $domain The domain to check.
2184
	 *
2185
	 * @return bool|WP_Error
2186
	 */
2187
	public function is_usable_domain( $domain ) {
2188
2189
		// If it's empty, just fail out.
2190
		if ( ! $domain ) {
2191
			return new \WP_Error(
2192
				'fail_domain_empty',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'fail_domain_empty'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2193
				/* translators: %1$s is a domain name. */
2194
				sprintf( __( 'Domain `%1$s` just failed is_usable_domain check as it is empty.', 'jetpack' ), $domain )
2195
			);
2196
		}
2197
2198
		/**
2199
		 * Skips the usuable domain check when connecting a site.
2200
		 *
2201
		 * Allows site administrators with domains that fail gethostname-based checks to pass the request to WP.com
2202
		 *
2203
		 * @since 4.1.0
2204
		 *
2205
		 * @param bool If the check should be skipped. Default false.
2206
		 */
2207
		if ( apply_filters( 'jetpack_skip_usuable_domain_check', false ) ) {
2208
			return true;
2209
		}
2210
2211
		// None of the explicit localhosts.
2212
		$forbidden_domains = array(
2213
			'wordpress.com',
2214
			'localhost',
2215
			'localhost.localdomain',
2216
			'127.0.0.1',
2217
			'local.wordpress.test',         // VVV pattern.
2218
			'local.wordpress-trunk.test',   // VVV pattern.
2219
			'src.wordpress-develop.test',   // VVV pattern.
2220
			'build.wordpress-develop.test', // VVV pattern.
2221
		);
2222 View Code Duplication
		if ( in_array( $domain, $forbidden_domains, true ) ) {
2223
			return new \WP_Error(
2224
				'fail_domain_forbidden',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'fail_domain_forbidden'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2225
				sprintf(
2226
					/* translators: %1$s is a domain name. */
2227
					__(
2228
						'Domain `%1$s` just failed is_usable_domain check as it is in the forbidden array.',
2229
						'jetpack'
2230
					),
2231
					$domain
2232
				)
2233
			);
2234
		}
2235
2236
		// No .test or .local domains.
2237 View Code Duplication
		if ( preg_match( '#\.(test|local)$#i', $domain ) ) {
2238
			return new \WP_Error(
2239
				'fail_domain_tld',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'fail_domain_tld'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2240
				sprintf(
2241
					/* translators: %1$s is a domain name. */
2242
					__(
2243
						'Domain `%1$s` just failed is_usable_domain check as it uses an invalid top level domain.',
2244
						'jetpack'
2245
					),
2246
					$domain
2247
				)
2248
			);
2249
		}
2250
2251
		// No WPCOM subdomains.
2252 View Code Duplication
		if ( preg_match( '#\.WordPress\.com$#i', $domain ) ) {
2253
			return new \WP_Error(
2254
				'fail_subdomain_wpcom',
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'fail_subdomain_wpcom'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2255
				sprintf(
2256
					/* translators: %1$s is a domain name. */
2257
					__(
2258
						'Domain `%1$s` just failed is_usable_domain check as it is a subdomain of WordPress.com.',
2259
						'jetpack'
2260
					),
2261
					$domain
2262
				)
2263
			);
2264
		}
2265
2266
		// If PHP was compiled without support for the Filter module (very edge case).
2267
		if ( ! function_exists( 'filter_var' ) ) {
2268
			// Just pass back true for now, and let wpcom sort it out.
2269
			return true;
2270
		}
2271
2272
		return true;
2273
	}
2274
2275
	/**
2276
	 * Gets the requested token.
2277
	 *
2278
	 * Tokens are one of two types:
2279
	 * 1. Blog Tokens: These are the "main" tokens. Each site typically has one Blog Token,
2280
	 *    though some sites can have multiple "Special" Blog Tokens (see below). These tokens
2281
	 *    are not associated with a user account. They represent the site's connection with
2282
	 *    the Jetpack servers.
2283
	 * 2. User Tokens: These are "sub-"tokens. Each connected user account has one User Token.
2284
	 *
2285
	 * All tokens look like "{$token_key}.{$private}". $token_key is a public ID for the
2286
	 * token, and $private is a secret that should never be displayed anywhere or sent
2287
	 * over the network; it's used only for signing things.
2288
	 *
2289
	 * Blog Tokens can be "Normal" or "Special".
2290
	 * * Normal: The result of a normal connection flow. They look like
2291
	 *   "{$random_string_1}.{$random_string_2}"
2292
	 *   That is, $token_key and $private are both random strings.
2293
	 *   Sites only have one Normal Blog Token. Normal Tokens are found in either
2294
	 *   Jetpack_Options::get_option( 'blog_token' ) (usual) or the JETPACK_BLOG_TOKEN
2295
	 *   constant (rare).
2296
	 * * Special: A connection token for sites that have gone through an alternative
2297
	 *   connection flow. They look like:
2298
	 *   ";{$special_id}{$special_version};{$wpcom_blog_id};.{$random_string}"
2299
	 *   That is, $private is a random string and $token_key has a special structure with
2300
	 *   lots of semicolons.
2301
	 *   Most sites have zero Special Blog Tokens. Special tokens are only found in the
2302
	 *   JETPACK_BLOG_TOKEN constant.
2303
	 *
2304
	 * In particular, note that Normal Blog Tokens never start with ";" and that
2305
	 * Special Blog Tokens always do.
2306
	 *
2307
	 * When searching for a matching Blog Tokens, Blog Tokens are examined in the following
2308
	 * order:
2309
	 * 1. Defined Special Blog Tokens (via the JETPACK_BLOG_TOKEN constant)
2310
	 * 2. Stored Normal Tokens (via Jetpack_Options::get_option( 'blog_token' ))
2311
	 * 3. Defined Normal Tokens (via the JETPACK_BLOG_TOKEN constant)
2312
	 *
2313
	 * @param int|false    $user_id   false: Return the Blog Token. int: Return that user's User Token.
2314
	 * @param string|false $token_key If provided, check that the token matches the provided input.
2315
	 * @param bool|true    $suppress_errors If true, return a falsy value when the token isn't found; When false, return a descriptive WP_Error when the token isn't found.
2316
	 *
2317
	 * @return object|false
2318
	 */
2319
	public function get_access_token( $user_id = false, $token_key = false, $suppress_errors = true ) {
2320
		$possible_special_tokens = array();
2321
		$possible_normal_tokens  = array();
2322
		$user_tokens             = \Jetpack_Options::get_option( 'user_tokens' );
2323
2324
		if ( ( new Status() )->is_no_user_testing_mode() ) {
2325
			$user_tokens = false;
2326
		}
2327
2328
		if ( $user_id ) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $user_id of type false|integer is loosely compared to true; this is ambiguous if the integer can be zero. You might want to explicitly use !== null instead.

In PHP, under loose comparison (like ==, or !=, or switch conditions), values of different types might be equal.

For integer values, zero is a special case, in particular the following results might be unexpected:

0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
Loading history...
2329
			if ( ! $user_tokens ) {
2330
				return $suppress_errors ? false : new \WP_Error( 'no_user_tokens', __( 'No user tokens found', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_user_tokens'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2331
			}
2332
			if ( self::CONNECTION_OWNER === $user_id ) {
2333
				$user_id = \Jetpack_Options::get_option( 'master_user' );
2334
				if ( ! $user_id ) {
2335
					return $suppress_errors ? false : new \WP_Error( 'empty_master_user_option', __( 'No primary user defined', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'empty_master_user_option'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2336
				}
2337
			}
2338
			if ( ! isset( $user_tokens[ $user_id ] ) || ! $user_tokens[ $user_id ] ) {
2339
				// translators: %s is the user ID.
2340
				return $suppress_errors ? false : new \WP_Error( 'no_token_for_user', sprintf( __( 'No token for user %d', 'jetpack' ), $user_id ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_token_for_user'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2341
			}
2342
			$user_token_chunks = explode( '.', $user_tokens[ $user_id ] );
2343 View Code Duplication
			if ( empty( $user_token_chunks[1] ) || empty( $user_token_chunks[2] ) ) {
2344
				// translators: %s is the user ID.
2345
				return $suppress_errors ? false : new \WP_Error( 'token_malformed', sprintf( __( 'Token for user %d is malformed', 'jetpack' ), $user_id ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'token_malformed'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2346
			}
2347
			if ( $user_token_chunks[2] !== (string) $user_id ) {
2348
				// translators: %1$d is the ID of the requested user. %2$d is the user ID found in the token.
2349
				return $suppress_errors ? false : new \WP_Error( 'user_id_mismatch', sprintf( __( 'Requesting user_id %1$d does not match token user_id %2$d', 'jetpack' ), $user_id, $user_token_chunks[2] ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'user_id_mismatch'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2350
			}
2351
			$possible_normal_tokens[] = "{$user_token_chunks[0]}.{$user_token_chunks[1]}";
2352
		} else {
2353
			$stored_blog_token = \Jetpack_Options::get_option( 'blog_token' );
2354
			if ( $stored_blog_token ) {
2355
				$possible_normal_tokens[] = $stored_blog_token;
2356
			}
2357
2358
			$defined_tokens_string = Constants::get_constant( 'JETPACK_BLOG_TOKEN' );
2359
2360
			if ( $defined_tokens_string ) {
2361
				$defined_tokens = explode( ',', $defined_tokens_string );
2362
				foreach ( $defined_tokens as $defined_token ) {
2363
					if ( ';' === $defined_token[0] ) {
2364
						$possible_special_tokens[] = $defined_token;
2365
					} else {
2366
						$possible_normal_tokens[] = $defined_token;
2367
					}
2368
				}
2369
			}
2370
		}
2371
2372
		if ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
2373
			$possible_tokens = $possible_normal_tokens;
2374
		} else {
2375
			$possible_tokens = array_merge( $possible_special_tokens, $possible_normal_tokens );
2376
		}
2377
2378
		if ( ! $possible_tokens ) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $possible_tokens of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
2379
			// If no user tokens were found, it would have failed earlier, so this is about blog token.
2380
			return $suppress_errors ? false : new \WP_Error( 'no_possible_tokens', __( 'No blog token found', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_possible_tokens'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2381
		}
2382
2383
		$valid_token = false;
2384
2385
		if ( false === $token_key ) {
2386
			// Use first token.
2387
			$valid_token = $possible_tokens[0];
2388
		} elseif ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
2389
			// Use first normal token.
2390
			$valid_token = $possible_tokens[0]; // $possible_tokens only contains normal tokens because of earlier check.
2391
		} else {
2392
			// Use the token matching $token_key or false if none.
2393
			// Ensure we check the full key.
2394
			$token_check = rtrim( $token_key, '.' ) . '.';
2395
2396
			foreach ( $possible_tokens as $possible_token ) {
2397
				if ( hash_equals( substr( $possible_token, 0, strlen( $token_check ) ), $token_check ) ) {
2398
					$valid_token = $possible_token;
2399
					break;
2400
				}
2401
			}
2402
		}
2403
2404
		if ( ! $valid_token ) {
2405
			if ( $user_id ) {
2406
				// translators: %d is the user ID.
2407
				return $suppress_errors ? false : new \WP_Error( 'no_valid_user_token', sprintf( __( 'Invalid token for user %d', 'jetpack' ), $user_id ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_valid_user_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2408
			} else {
2409
				return $suppress_errors ? false : new \WP_Error( 'no_valid_blog_token', __( 'Invalid blog token', 'jetpack' ) );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'no_valid_blog_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2410
			}
2411
		}
2412
2413
		return (object) array(
2414
			'secret'           => $valid_token,
2415
			'external_user_id' => (int) $user_id,
2416
		);
2417
	}
2418
2419
	/**
2420
	 * In some setups, $HTTP_RAW_POST_DATA can be emptied during some IXR_Server paths
2421
	 * since it is passed by reference to various methods.
2422
	 * Capture it here so we can verify the signature later.
2423
	 *
2424
	 * @param array $methods an array of available XMLRPC methods.
2425
	 * @return array the same array, since this method doesn't add or remove anything.
2426
	 */
2427
	public function xmlrpc_methods( $methods ) {
2428
		$this->raw_post_data = $GLOBALS['HTTP_RAW_POST_DATA'];
2429
		return $methods;
2430
	}
2431
2432
	/**
2433
	 * Resets the raw post data parameter for testing purposes.
2434
	 */
2435
	public function reset_raw_post_data() {
2436
		$this->raw_post_data = null;
2437
	}
2438
2439
	/**
2440
	 * Registering an additional method.
2441
	 *
2442
	 * @param array $methods an array of available XMLRPC methods.
2443
	 * @return array the amended array in case the method is added.
2444
	 */
2445
	public function public_xmlrpc_methods( $methods ) {
2446
		if ( array_key_exists( 'wp.getOptions', $methods ) ) {
2447
			$methods['wp.getOptions'] = array( $this, 'jetpack_get_options' );
2448
		}
2449
		return $methods;
2450
	}
2451
2452
	/**
2453
	 * Handles a getOptions XMLRPC method call.
2454
	 *
2455
	 * @param array $args method call arguments.
2456
	 * @return an amended XMLRPC server options array.
2457
	 */
2458
	public function jetpack_get_options( $args ) {
2459
		global $wp_xmlrpc_server;
2460
2461
		$wp_xmlrpc_server->escape( $args );
2462
2463
		$username = $args[1];
2464
		$password = $args[2];
2465
2466
		$user = $wp_xmlrpc_server->login( $username, $password );
2467
		if ( ! $user ) {
2468
			return $wp_xmlrpc_server->error;
2469
		}
2470
2471
		$options   = array();
2472
		$user_data = $this->get_connected_user_data();
2473
		if ( is_array( $user_data ) ) {
2474
			$options['jetpack_user_id']         = array(
2475
				'desc'     => __( 'The WP.com user ID of the connected user', 'jetpack' ),
2476
				'readonly' => true,
2477
				'value'    => $user_data['ID'],
2478
			);
2479
			$options['jetpack_user_login']      = array(
2480
				'desc'     => __( 'The WP.com username of the connected user', 'jetpack' ),
2481
				'readonly' => true,
2482
				'value'    => $user_data['login'],
2483
			);
2484
			$options['jetpack_user_email']      = array(
2485
				'desc'     => __( 'The WP.com user email of the connected user', 'jetpack' ),
2486
				'readonly' => true,
2487
				'value'    => $user_data['email'],
2488
			);
2489
			$options['jetpack_user_site_count'] = array(
2490
				'desc'     => __( 'The number of sites of the connected WP.com user', 'jetpack' ),
2491
				'readonly' => true,
2492
				'value'    => $user_data['site_count'],
2493
			);
2494
		}
2495
		$wp_xmlrpc_server->blog_options = array_merge( $wp_xmlrpc_server->blog_options, $options );
2496
		$args                           = stripslashes_deep( $args );
2497
		return $wp_xmlrpc_server->wp_getOptions( $args );
2498
	}
2499
2500
	/**
2501
	 * Adds Jetpack-specific options to the output of the XMLRPC options method.
2502
	 *
2503
	 * @param array $options standard Core options.
2504
	 * @return array amended options.
2505
	 */
2506
	public function xmlrpc_options( $options ) {
2507
		$jetpack_client_id = false;
2508
		if ( $this->is_active() ) {
2509
			$jetpack_client_id = \Jetpack_Options::get_option( 'id' );
2510
		}
2511
		$options['jetpack_version'] = array(
2512
			'desc'     => __( 'Jetpack Plugin Version', 'jetpack' ),
2513
			'readonly' => true,
2514
			'value'    => Constants::get_constant( 'JETPACK__VERSION' ),
2515
		);
2516
2517
		$options['jetpack_client_id'] = array(
2518
			'desc'     => __( 'The Client ID/WP.com Blog ID of this site', 'jetpack' ),
2519
			'readonly' => true,
2520
			'value'    => $jetpack_client_id,
2521
		);
2522
		return $options;
2523
	}
2524
2525
	/**
2526
	 * Resets the saved authentication state in between testing requests.
2527
	 */
2528
	public function reset_saved_auth_state() {
2529
		$this->xmlrpc_verification = null;
2530
	}
2531
2532
	/**
2533
	 * Sign a user role with the master access token.
2534
	 * If not specified, will default to the current user.
2535
	 *
2536
	 * @access public
2537
	 *
2538
	 * @param string $role    User role.
2539
	 * @param int    $user_id ID of the user.
0 ignored issues
show
Documentation introduced by
Should the type for parameter $user_id not be integer|null?

This check looks for @param annotations where the type inferred by our type inference engine differs from the declared type.

It makes a suggestion as to what type it considers more descriptive.

Most often this is a case of a parameter that can be null in addition to its declared types.

Loading history...
2540
	 * @return string Signed user role.
2541
	 */
2542
	public function sign_role( $role, $user_id = null ) {
2543
		if ( empty( $user_id ) ) {
2544
			$user_id = (int) get_current_user_id();
2545
		}
2546
2547
		if ( ! $user_id ) {
2548
			return false;
2549
		}
2550
2551
		$token = $this->get_access_token();
2552
		if ( ! $token || is_wp_error( $token ) ) {
2553
			return false;
2554
		}
2555
2556
		return $role . ':' . hash_hmac( 'md5', "{$role}|{$user_id}", $token->secret );
2557
	}
2558
2559
	/**
2560
	 * Set the plugin instance.
2561
	 *
2562
	 * @param Plugin $plugin_instance The plugin instance.
2563
	 *
2564
	 * @return $this
2565
	 */
2566
	public function set_plugin_instance( Plugin $plugin_instance ) {
2567
		$this->plugin = $plugin_instance;
2568
2569
		return $this;
2570
	}
2571
2572
	/**
2573
	 * Retrieve the plugin management object.
2574
	 *
2575
	 * @return Plugin
2576
	 */
2577
	public function get_plugin() {
2578
		return $this->plugin;
2579
	}
2580
2581
	/**
2582
	 * Get all connected plugins information, excluding those disconnected by user.
2583
	 * WARNING: the method cannot be called until Plugin_Storage::configure is called, which happens on plugins_loaded
2584
	 * Even if you don't use Jetpack Config, it may be introduced later by other plugins,
2585
	 * so please make sure not to run the method too early in the code.
2586
	 *
2587
	 * @return array|WP_Error
2588
	 */
2589
	public function get_connected_plugins() {
2590
		$maybe_plugins = Plugin_Storage::get_all( true );
2591
2592
		if ( $maybe_plugins instanceof WP_Error ) {
2593
			return $maybe_plugins;
2594
		}
2595
2596
		return $maybe_plugins;
2597
	}
2598
2599
	/**
2600
	 * Force plugin disconnect. After its called, the plugin will not be allowed to use the connection.
2601
	 * Note: this method does not remove any access tokens.
2602
	 *
2603
	 * @return bool
2604
	 */
2605
	public function disable_plugin() {
2606
		if ( ! $this->plugin ) {
2607
			return false;
2608
		}
2609
2610
		return $this->plugin->disable();
2611
	}
2612
2613
	/**
2614
	 * Force plugin reconnect after user-initiated disconnect.
2615
	 * After its called, the plugin will be allowed to use the connection again.
2616
	 * Note: this method does not initialize access tokens.
2617
	 *
2618
	 * @return bool
2619
	 */
2620
	public function enable_plugin() {
2621
		if ( ! $this->plugin ) {
2622
			return false;
2623
		}
2624
2625
		return $this->plugin->enable();
2626
	}
2627
2628
	/**
2629
	 * Whether the plugin is allowed to use the connection, or it's been disconnected by user.
2630
	 * If no plugin slug was passed into the constructor, always returns true.
2631
	 *
2632
	 * @return bool
2633
	 */
2634
	public function is_plugin_enabled() {
2635
		if ( ! $this->plugin ) {
2636
			return true;
2637
		}
2638
2639
		return $this->plugin->is_enabled();
2640
	}
2641
2642
	/**
2643
	 * Perform the API request to refresh the blog token.
2644
	 * Note that we are making this request on behalf of the Jetpack master user,
2645
	 * given they were (most probably) the ones that registered the site at the first place.
2646
	 *
2647
	 * @return WP_Error|bool The result of updating the blog_token option.
2648
	 */
2649
	public static function refresh_blog_token() {
2650
		( new Tracking() )->record_user_event( 'restore_connection_refresh_blog_token' );
2651
2652
		$blog_id = Jetpack_Options::get_option( 'id' );
2653
		if ( ! $blog_id ) {
2654
			return new WP_Error( 'site_not_registered', 'Site not registered.' );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'site_not_registered'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2655
		}
2656
2657
		$url     = sprintf(
2658
			'%s/%s/v%s/%s',
2659
			Constants::get_constant( 'JETPACK__WPCOM_JSON_API_BASE' ),
2660
			'wpcom',
2661
			'2',
2662
			'sites/' . $blog_id . '/jetpack-refresh-blog-token'
2663
		);
2664
		$method  = 'POST';
2665
		$user_id = get_current_user_id();
2666
2667
		$response = Client::remote_request( compact( 'url', 'method', 'user_id' ) );
2668
2669
		if ( is_wp_error( $response ) ) {
2670
			return new WP_Error( 'refresh_blog_token_http_request_failed', $response->get_error_message() );
0 ignored issues
show
Bug introduced by
The method get_error_message() does not seem to exist on object<WP_Error>.

This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces.

This is most likely a typographical error or the method has been renamed.

Loading history...
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'refresh_blog_token_http_request_failed'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2671
		}
2672
2673
		$code   = wp_remote_retrieve_response_code( $response );
2674
		$entity = wp_remote_retrieve_body( $response );
2675
2676
		if ( $entity ) {
2677
			$json = json_decode( $entity );
2678
		} else {
2679
			$json = false;
2680
		}
2681
2682 View Code Duplication
		if ( 200 !== $code ) {
2683
			if ( empty( $json->code ) ) {
2684
				return new WP_Error( 'unknown', '', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'unknown'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2685
			}
2686
2687
			/* translators: Error description string. */
2688
			$error_description = isset( $json->message ) ? sprintf( __( 'Error Details: %s', 'jetpack' ), (string) $json->message ) : '';
2689
2690
			return new WP_Error( (string) $json->code, $error_description, $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with (string) $json->code.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2691
		}
2692
2693
		if ( empty( $json->jetpack_secret ) || ! is_scalar( $json->jetpack_secret ) ) {
2694
			return new WP_Error( 'jetpack_secret', '', $code );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'jetpack_secret'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2695
		}
2696
2697
		return Jetpack_Options::update_option( 'blog_token', (string) $json->jetpack_secret );
2698
	}
2699
2700
	/**
2701
	 * Disconnect the user from WP.com, and initiate the reconnect process.
2702
	 *
2703
	 * @return bool
2704
	 */
2705
	public static function refresh_user_token() {
2706
		( new Tracking() )->record_user_event( 'restore_connection_refresh_user_token' );
2707
2708
		self::disconnect_user( null, true );
2709
2710
		return true;
2711
	}
2712
2713
	/**
2714
	 * Fetches a signed token.
2715
	 *
2716
	 * @param object $token the token.
2717
	 * @return WP_Error|string a signed token
2718
	 */
2719
	public function get_signed_token( $token ) {
2720
		if ( ! isset( $token->secret ) || empty( $token->secret ) ) {
2721
			return new WP_Error( 'invalid_token' );
0 ignored issues
show
Unused Code introduced by
The call to WP_Error::__construct() has too many arguments starting with 'invalid_token'.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
2722
		}
2723
2724
		list( $token_key, $token_secret ) = explode( '.', $token->secret );
2725
2726
		$token_key = sprintf(
2727
			'%s:%d:%d',
2728
			$token_key,
2729
			Constants::get_constant( 'JETPACK__API_VERSION' ),
2730
			$token->external_user_id
2731
		);
2732
2733
		$timestamp = time();
2734
2735 View Code Duplication
		if ( function_exists( 'wp_generate_password' ) ) {
2736
			$nonce = wp_generate_password( 10, false );
2737
		} else {
2738
			$nonce = substr( sha1( wp_rand( 0, 1000000 ) ), 0, 10 );
2739
		}
2740
2741
		$normalized_request_string = join(
2742
			"\n",
2743
			array(
2744
				$token_key,
2745
				$timestamp,
2746
				$nonce,
2747
			)
2748
		) . "\n";
2749
2750
		// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
2751
		$signature = base64_encode( hash_hmac( 'sha1', $normalized_request_string, $token_secret, true ) );
2752
2753
		$auth = array(
2754
			'token'     => $token_key,
2755
			'timestamp' => $timestamp,
2756
			'nonce'     => $nonce,
2757
			'signature' => $signature,
2758
		);
2759
2760
		$header_pieces = array();
2761
		foreach ( $auth as $key => $value ) {
2762
			$header_pieces[] = sprintf( '%s="%s"', $key, $value );
2763
		}
2764
2765
		return join( ' ', $header_pieces );
2766
	}
2767
2768
	/**
2769
	 * If connection is active, add the list of plugins using connection to the heartbeat (except Jetpack itself)
2770
	 *
2771
	 * @param array $stats The Heartbeat stats array.
2772
	 * @return array $stats
2773
	 */
2774
	public function add_stats_to_heartbeat( $stats ) {
2775
2776
		if ( ! $this->is_active() ) {
2777
			return $stats;
2778
		}
2779
2780
		$active_plugins_using_connection = Plugin_Storage::get_all();
2781
		foreach ( array_keys( $active_plugins_using_connection ) as $plugin_slug ) {
2782
			if ( 'jetpack' !== $plugin_slug ) {
2783
				$stats_group             = isset( $active_plugins_using_connection['jetpack'] ) ? 'combined-connection' : 'standalone-connection';
2784
				$stats[ $stats_group ][] = $plugin_slug;
2785
			}
2786
		}
2787
		return $stats;
2788
	}
2789
2790
}
2791