Jetpack_Signature - Code Metrics - Inspection of "Reinstate lodash dependency." - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — fix/slideshow-dependencies ( a328c8...25d99e )

unknown

created 2019-02-21 19:41 UTC

Jetpack_Signature F

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	250
Duplicated Lines	2.4 %

Coupling/Cohesion

Components	1
Dependencies	1

Importance

Changes

Metric	Value
dl	6
loc	250
rs	3.2
c	0
b	0
f	0
wmc	65
lcom	1
cbo	1

6 Methods

Rating	Name	Duplication	Size	Complexity
A	__construct()	0	9	2
F	sign_current_request()	0	81	27
F	sign_request()	6	112	29
A	normalized_query_parameters()	0	19	2
A	encode_3986()	0	8	2
A	join_with_equal_sign()	0	10	3

How to fix Duplicated Code Complexity

Duplicated Code

Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.

Common duplication problems, and corresponding solutions are:

If you have the same expression in different places: Extract expression to a method
If you have the same method in different sub-classes: Extract method, and pull up field to the parent class
If you have the same code in unrelated classes: Consider extracting the code to a new class, and injecting that class

Complex Class

Tip: Before tackling complexity, make sure that you eliminate any duplication first. This often can reduce the size of classes significantly.

Complex classes like Jetpack_Signature often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.

Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.

While breaking up the class, it is a good idea to analyze how other classes use Jetpack_Signature, and based on these observations, apply Extract Interface, too.

<?php

// These constants can be set in wp-config.php to ensure sites behind proxies will still work.
// Setting these constants, though, is *not* the preferred method. It's better to configure
// the proxy to send the X-Forwarded-Port header.
defined( 'JETPACK_SIGNATURE__HTTP_PORT'  ) or define( 'JETPACK_SIGNATURE__HTTP_PORT' , 80  );
defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) or define( 'JETPACK_SIGNATURE__HTTPS_PORT', 443 );

class Jetpack_Signature {
	public $token;
	public $secret;

	function __construct( $access_token, $time_diff = 0 ) {
		$secret = explode( '.', $access_token );
		if ( 2 != count( $secret ) )
			return;

		$this->token  = $secret[0];
		$this->secret = $secret[1];
		$this->time_diff = $time_diff;
class MyClass { }

$x = new MyClass();
$x->foo = true;
	}

	function sign_current_request( $override = array() ) {
		if ( isset( $override['scheme'] ) ) {
			$scheme = $override['scheme'];
			if ( !in_array( $scheme, array( 'http', 'https' ) ) ) {
				return new Jetpack_Error( 'invalid_scheme', 'Invalid URL scheme' );
			}
		} else {
			if ( is_ssl() ) {
				$scheme = 'https';
			} else {
				$scheme = 'http';
			}
		}

		$host_port = isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) ? $_SERVER['HTTP_X_FORWARDED_PORT'] : $_SERVER['SERVER_PORT'];

		if ( is_ssl() ) {
			// 443: Standard Port
			// 80: Assume we're behind a proxy without X-Forwarded-Port. Hardcoding "80" here means most sites
			//     with SSL termination proxies (self-served, Cloudflare, etc.) don't need to fiddle with
			//     the JETPACK_SIGNATURE__HTTPS_PORT constant. The code also implies we can't talk to a
			//     site at https://example.com:80/ (which would be a strange configuration).
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
			//                                if the site is behind a proxy running on port 443 without
			//                                X-Forwarded-Port and the back end's port is *not* 80. It's better,
			//                                though, to configure the proxy to send X-Forwarded-Port.
			$port = in_array( $host_port, array( 443, 80, JETPACK_SIGNATURE__HTTPS_PORT ) ) ? '' : $host_port;
		} else {
			// 80: Standard Port
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
			//                                if the site is behind a proxy running on port 80 without
			//                                X-Forwarded-Port. It's better, though, to configure the proxy to
			//                                send X-Forwarded-Port.
			$port = in_array( $host_port, array( 80, JETPACK_SIGNATURE__HTTP_PORT ) ) ? '' : $host_port;
		}

		$url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );

		if ( array_key_exists( 'body', $override ) && ! empty( $override['body'] ) ) {
			$body = $override['body'];
		} else if ( 'POST' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
			$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;

			// Convert the $_POST to the body, if the body was empty. This is how arrays are hashed
			// and encoded on the Jetpack side.
			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
				if ( empty( $body ) && is_array( $_POST ) && count( $_POST ) > 0 ) {
					$body = $_POST;
				}
			}
		} else if ( 'PUT' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
			// This is a little strange-looking, but there doesn't seem to be another way to get the PUT body
			$raw_put_data = file_get_contents( 'php://input' );
			parse_str( $raw_put_data, $body );

			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
				$put_data = json_decode( $raw_put_data, true );
				if ( is_array( $put_data ) && count( $put_data ) > 0 ) {
					$body = $put_data;
				}
			}
		} else {
			$body = null;
		}

		if ( empty( $body ) ) {
			$body = null;
		}

		$a = array();
		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
			if ( isset( $override[$parameter] ) ) {
				$a[$parameter] = $override[$parameter];
			} else {
				$a[$parameter] = isset( $_GET[$parameter] ) ? stripslashes( $_GET[$parameter] ) : '';
			}
		}

		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $url, $body, true );
	}

	// body_hash v. body-hash is annoying.  Refactor to accept an array?
	function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
		if ( !$this->secret ) {
			return new Jetpack_Error( 'invalid_secret', 'Invalid secret' );
		}

		if ( !$this->token ) {
			return new Jetpack_Error( 'invalid_token', 'Invalid token' );
		}

		list( $token ) = explode( '.', $token );

		if ( 0 !== strpos( $token, "$this->token:" ) ) {
			return new Jetpack_Error( 'token_mismatch', 'Incorrect token' );
		}

		// If we got an array at this point, let's encode it, so we can see what it looks like as a string.
		if ( is_array( $body ) ) {
			if ( count( $body ) > 0 ) {
				$body = json_encode( $body );

			} else {
				$body = '';
			}
		}

		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
		if ( !is_null( $body ) ) {
			$required_parameters[] = 'body_hash';
			if ( !is_string( $body ) ) {
				return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
			}
		}

		foreach ( $required_parameters as $required ) {
			if ( !is_scalar( $$required ) ) {
				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ) );
			}

			if ( !strlen( $$required ) ) {
				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ) );
			}
		}

		if ( empty( $body ) ) {
			if ( $body_hash ) {
				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
			}
		} else {
			if ( $verify_body_hash && jetpack_sha1_base64( $body ) !== $body_hash ) {
				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
			}
		}

		$parsed = parse_url( $url );
		if ( !isset( $parsed['host'] ) ) {
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ) );
		}

		if ( !empty( $parsed['port'] ) ) {
			$port = $parsed['port'];
		} else {
			if ( 'http' == $parsed['scheme'] ) {
				$port = 80;
			} else if ( 'https' == $parsed['scheme'] ) {
				$port = 443;
			} else {
				return new Jetpack_Error( 'unknown_scheme_port', "The scheme's port is unknown" );
			}
		}

		if ( !ctype_digit( "$timestamp" ) || 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ) );
		}

		$local_time = $timestamp - $this->time_diff;
		if ( $local_time < time() - 600 || $local_time > time() + 300 ) {
			return new Jetpack_Error( 'invalid_signature', 'The timestamp is too old.' );
		}

		if ( 12 < strlen( $nonce ) || preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ) );
		}

		$normalized_request_pieces = array(
			$token,
			$timestamp,
			$nonce,
			$body_hash,
			strtoupper( $method ),
			strtolower( $parsed['host'] ),
			$port,
			$parsed['path'],
			// Normalized Query String
		);

		$normalized_request_pieces = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
		$flat_normalized_request_pieces = array();
		foreach ($normalized_request_pieces as $piece) {
			if ( is_array( $piece ) ) {
				foreach ( $piece as $subpiece ) {
					$flat_normalized_request_pieces[] = $subpiece;
				}
			} else {
				$flat_normalized_request_pieces[] = $piece;
			}
		}
		$normalized_request_pieces = $flat_normalized_request_pieces;

		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";

		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
	}

	function normalized_query_parameters( $query_string ) {
		parse_str( $query_string, $array );
		if ( get_magic_quotes_gpc() )
			$array = stripslashes_deep( $array );

		unset( $array['signature'] );

		$names  = array_keys( $array );
		$values = array_values( $array );

		$names  = array_map( array( $this, 'encode_3986' ), $names  );
		$values = array_map( array( $this, 'encode_3986' ), $values );

		$pairs  = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );

		sort( $pairs );

		return $pairs;
	}

	function encode_3986( $string_or_array ) {
		if ( is_array( $string_or_array ) ) {
			return array_map( array( $this, 'encode_3986' ), $string_or_array );
		}

		$string_or_array = rawurlencode( $string_or_array );
		return str_replace( '%7E', '~', $string_or_array ); // prior to PHP 5.3, rawurlencode was RFC 1738
	}

	function join_with_equal_sign( $name, $value ) {
		if ( is_array( $value ) ) {
			$result = array();
			foreach ( $value as $array_key => $array_value ) {
				$result[] = $name . '[' . $array_key . ']' . '=' . $array_value;
			}
			return $result;
		}
		return "{$name}={$value}";
	}
}

function jetpack_sha1_base64( $text ) {
	return base64_encode( sha1( $text, true ) );
}


1		<?php
2
3		// These constants can be set in wp-config.php to ensure sites behind proxies will still work.
4		// Setting these constants, though, is not the preferred method. It's better to configure
5		// the proxy to send the X-Forwarded-Port header.
6		defined( 'JETPACK_SIGNATURE__HTTP_PORT' ) or define( 'JETPACK_SIGNATURE__HTTP_PORT' , 80 );
7		defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) or define( 'JETPACK_SIGNATURE__HTTPS_PORT', 443 );
8
9		class Jetpack_Signature {
10		public $token;
11		public $secret;
12
13		function __construct( $access_token, $time_diff = 0 ) {
14		$secret = explode( '.', $access_token );
15		if ( 2 != count( $secret ) )
16		return;
17
18		$this->token = $secret[0];
19		$this->secret = $secret[1];
20		$this->time_diff = $time_diff;
		0 ignored issues – show Bug introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report The property `time_diff` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
21		}
22
23		function sign_current_request( $override = array() ) {
24		if ( isset( $override['scheme'] ) ) {
25		$scheme = $override['scheme'];
26		if ( !in_array( $scheme, array( 'http', 'https' ) ) ) {
27		return new Jetpack_Error( 'invalid_scheme', 'Invalid URL scheme' );
28		}
29		} else {
30		if ( is_ssl() ) {
31		$scheme = 'https';
32		} else {
33		$scheme = 'http';
34		}
35		}
36
37		$host_port = isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) ? $_SERVER['HTTP_X_FORWARDED_PORT'] : $_SERVER['SERVER_PORT'];
38
39		if ( is_ssl() ) {
40		// 443: Standard Port
41		// 80: Assume we're behind a proxy without X-Forwarded-Port. Hardcoding "80" here means most sites
42		// with SSL termination proxies (self-served, Cloudflare, etc.) don't need to fiddle with
43		// the JETPACK_SIGNATURE__HTTPS_PORT constant. The code also implies we can't talk to a
44		// site at https://example.com:80/ (which would be a strange configuration).
45		// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
46		// if the site is behind a proxy running on port 443 without
47		// X-Forwarded-Port and the back end's port is not 80. It's better,
48		// though, to configure the proxy to send X-Forwarded-Port.
49		$port = in_array( $host_port, array( 443, 80, JETPACK_SIGNATURE__HTTPS_PORT ) ) ? '' : $host_port;
50		} else {
51		// 80: Standard Port
52		// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
53		// if the site is behind a proxy running on port 80 without
54		// X-Forwarded-Port. It's better, though, to configure the proxy to
55		// send X-Forwarded-Port.
56		$port = in_array( $host_port, array( 80, JETPACK_SIGNATURE__HTTP_PORT ) ) ? '' : $host_port;
57		}
58
59		$url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );
60
61		if ( array_key_exists( 'body', $override ) && ! empty( $override['body'] ) ) {
62		$body = $override['body'];
63		} else if ( 'POST' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
64		$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;
65
66		// Convert the $_POST to the body, if the body was empty. This is how arrays are hashed
67		// and encoded on the Jetpack side.
68		if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
69		if ( empty( $body ) && is_array( $_POST ) && count( $_POST ) > 0 ) {
70		$body = $_POST;
71		}
72		}
73		} else if ( 'PUT' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
74		// This is a little strange-looking, but there doesn't seem to be another way to get the PUT body
75		$raw_put_data = file_get_contents( 'php://input' );
76		parse_str( $raw_put_data, $body );
77
78		if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
79		$put_data = json_decode( $raw_put_data, true );
80		if ( is_array( $put_data ) && count( $put_data ) > 0 ) {
81		$body = $put_data;
82		}
83		}
84		} else {
85		$body = null;
86		}
87
88		if ( empty( $body ) ) {
89		$body = null;
90		}
91
92		$a = array();
93		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
94		if ( isset( $override[$parameter] ) ) {
95		$a[$parameter] = $override[$parameter];
96		} else {
97		$a[$parameter] = isset( $_GET[$parameter] ) ? stripslashes( $_GET[$parameter] ) : '';
98		}
99		}
100
101		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
102		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $url, $body, true );
103		}
104
105		// body_hash v. body-hash is annoying. Refactor to accept an array?
106		function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
107		if ( !$this->secret ) {
108		return new Jetpack_Error( 'invalid_secret', 'Invalid secret' );
109		}
110
111		if ( !$this->token ) {
112		return new Jetpack_Error( 'invalid_token', 'Invalid token' );
113		}
114
115		list( $token ) = explode( '.', $token );
116
117		if ( 0 !== strpos( $token, "$this->token:" ) ) {
118		return new Jetpack_Error( 'token_mismatch', 'Incorrect token' );
119		}
120
121		// If we got an array at this point, let's encode it, so we can see what it looks like as a string.
122		if ( is_array( $body ) ) {
123		if ( count( $body ) > 0 ) {
124		$body = json_encode( $body );
125
126		} else {
127		$body = '';
128		}
129		}
130
131		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
132		if ( !is_null( $body ) ) {
133		$required_parameters[] = 'body_hash';
134		if ( !is_string( $body ) ) {
135		return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
136		}
137		}
138
139		foreach ( $required_parameters as $required ) {
140	View Code Duplication	if ( !is_scalar( $$required ) ) {
141		return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ) );
142		}
143
144	View Code Duplication	if ( !strlen( $$required ) ) {
145		return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ) );
146		}
147		}
148
149		if ( empty( $body ) ) {
150		if ( $body_hash ) {
151		return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
152		}
153		} else {
154		if ( $verify_body_hash && jetpack_sha1_base64( $body ) !== $body_hash ) {
155		return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
156		}
157		}
158
159		$parsed = parse_url( $url );
160		if ( !isset( $parsed['host'] ) ) {
161		return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ) );
162		}
163
164		if ( !empty( $parsed['port'] ) ) {
165		$port = $parsed['port'];
166		} else {
167		if ( 'http' == $parsed['scheme'] ) {
168		$port = 80;
169		} else if ( 'https' == $parsed['scheme'] ) {
170		$port = 443;
171		} else {
172		return new Jetpack_Error( 'unknown_scheme_port', "The scheme's port is unknown" );
173		}
174		}
175
176		if ( !ctype_digit( "$timestamp" ) \|\| 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
177		return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ) );
178		}
179
180		$local_time = $timestamp - $this->time_diff;
181		if ( $local_time < time() - 600 \|\| $local_time > time() + 300 ) {
182		return new Jetpack_Error( 'invalid_signature', 'The timestamp is too old.' );
183		}
184
185		if ( 12 < strlen( $nonce ) \|\| preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
186		return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ) );
187		}
188
189		$normalized_request_pieces = array(
190		$token,
191		$timestamp,
192		$nonce,
193		$body_hash,
194		strtoupper( $method ),
195		strtolower( $parsed['host'] ),
196		$port,
197		$parsed['path'],
198		// Normalized Query String
199		);
200
201		$normalized_request_pieces = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
202		$flat_normalized_request_pieces = array();
203		foreach ($normalized_request_pieces as $piece) {
204		if ( is_array( $piece ) ) {
205		foreach ( $piece as $subpiece ) {
206		$flat_normalized_request_pieces[] = $subpiece;
207		}
208		} else {
209		$flat_normalized_request_pieces[] = $piece;
210		}
211		}
212		$normalized_request_pieces = $flat_normalized_request_pieces;
213
214		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";
215
216		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
217		}
218
219		function normalized_query_parameters( $query_string ) {
220		parse_str( $query_string, $array );
221		if ( get_magic_quotes_gpc() )
222		$array = stripslashes_deep( $array );
223
224		unset( $array['signature'] );
225
226		$names = array_keys( $array );
227		$values = array_values( $array );
228
229		$names = array_map( array( $this, 'encode_3986' ), $names );
230		$values = array_map( array( $this, 'encode_3986' ), $values );
231
232		$pairs = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );
233
234		sort( $pairs );
235
236		return $pairs;
237		}
238
239		function encode_3986( $string_or_array ) {
240		if ( is_array( $string_or_array ) ) {
241		return array_map( array( $this, 'encode_3986' ), $string_or_array );
242		}
243
244		$string_or_array = rawurlencode( $string_or_array );
245		return str_replace( '%7E', '~', $string_or_array ); // prior to PHP 5.3, rawurlencode was RFC 1738
246		}
247
248		function join_with_equal_sign( $name, $value ) {
249		if ( is_array( $value ) ) {
250		$result = array();
251		foreach ( $value as $array_key => $array_value ) {
252		$result[] = $name . '[' . $array_key . ']' . '=' . $array_value;
253		}
254		return $result;
255		}
256		return "{$name}={$value}";
257		}
258		}
259
260		function jetpack_sha1_base64( $text ) {
261		return base64_encode( sha1( $text, true ) );
262		}
263

Automattic / jetpack