Jetpack_Client

The WordPress Core Jetpack Client class.

Defined (1)

The class is defined in the following location(s).

/class.jetpack-client.php  
  1. class Jetpack_Client { 
  2. const WPCOM_JSON_API_VERSION = '1.1'; 
  3.  
  4. /** 
  5. * Makes an authorized remote request using Jetpack_Signature 
  6. * @return array|WP_Error WP HTTP response on success 
  7. */ 
  8. public static function remote_request( $args, $body = null ) { 
  9. $defaults = array( 
  10. 'url' => '',  
  11. 'user_id' => 0,  
  12. 'blog_id' => 0,  
  13. 'auth_location' => JETPACK_CLIENT__AUTH_LOCATION,  
  14. 'method' => 'POST',  
  15. 'timeout' => 10,  
  16. 'redirection' => 0,  
  17. 'headers' => array(),  
  18. 'stream' => false,  
  19. 'filename' => null,  
  20. 'sslverify' => true,  
  21. ); 
  22.  
  23. $args = wp_parse_args( $args, $defaults ); 
  24.  
  25. $args['blog_id'] = (int) $args['blog_id']; 
  26.  
  27. if ( 'header' != $args['auth_location'] ) { 
  28. $args['auth_location'] = 'query_string'; 
  29.  
  30. $token = Jetpack_Data::get_access_token( $args['user_id'] ); 
  31. if ( !$token ) { 
  32. return new Jetpack_Error( 'missing_token' ); 
  33.  
  34. $method = strtoupper( $args['method'] ); 
  35.  
  36. $timeout = intval( $args['timeout'] ); 
  37.  
  38. $redirection = $args['redirection']; 
  39. $stream = $args['stream']; 
  40. $filename = $args['filename']; 
  41. $sslverify = $args['sslverify']; 
  42.  
  43. $request = compact( 'method', 'body', 'timeout', 'redirection', 'stream', 'filename', 'sslverify' ); 
  44.  
  45. @list( $token_key, $secret ) = explode( '.', $token->secret ); 
  46. if ( empty( $token ) || empty( $secret ) ) { 
  47. return new Jetpack_Error( 'malformed_token' ); 
  48.  
  49. $token_key = sprintf( '%s:%d:%d', $token_key, JETPACK__API_VERSION, $token->external_user_id ); 
  50.  
  51. require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php'; 
  52.  
  53. $time_diff = (int) Jetpack_Options::get_option( 'time_diff' ); 
  54. $jetpack_signature = new Jetpack_Signature( $token->secret, $time_diff ); 
  55.  
  56. $timestamp = time() + $time_diff; 
  57.  
  58. if( function_exists( 'wp_generate_password' ) ) { 
  59. $nonce = wp_generate_password( 10, false ); 
  60. } else { 
  61. $nonce = substr( sha1( rand( 0, 1000000 ) ), 0, 10); 
  62.  
  63. // Kind of annoying. Maybe refactor Jetpack_Signature to handle body-hashing 
  64. if ( is_null( $body ) ) { 
  65. $body_hash = ''; 
  66.  
  67. } else { 
  68. // Allow arrays to be used in passing data. 
  69. $body_to_hash = $body; 
  70.  
  71. if ( is_array( $body ) ) { 
  72. // We cast this to a new variable, because the array form of $body needs to be 
  73. // maintained so it can be passed into the request later on in the code. 
  74. if ( count( $body ) > 0 ) { 
  75. $body_to_hash = json_encode( self::_stringify_data( $body ) ); 
  76. } else { 
  77. $body_to_hash = ''; 
  78.  
  79. if ( ! is_string( $body_to_hash ) ) { 
  80. return new Jetpack_Error( 'invalid_body', 'Body is malformed.' ); 
  81.  
  82. $body_hash = jetpack_sha1_base64( $body_to_hash ); 
  83.  
  84. $auth = array( 
  85. 'token' => $token_key,  
  86. 'timestamp' => $timestamp,  
  87. 'nonce' => $nonce,  
  88. 'body-hash' => $body_hash,  
  89. ); 
  90.  
  91. if ( false !== strpos( $args['url'], 'xmlrpc.php' ) ) { 
  92. $url_args = array( 
  93. 'for' => 'jetpack',  
  94. 'wpcom_blog_id' => Jetpack_Options::get_option( 'id' ),  
  95. ); 
  96. } else { 
  97. $url_args = array(); 
  98.  
  99. if ( 'header' != $args['auth_location'] ) { 
  100. $url_args += $auth; 
  101.  
  102. $url = add_query_arg( urlencode_deep( $url_args ), $args['url'] ); 
  103. $url = Jetpack::fix_url_for_bad_hosts( $url ); 
  104.  
  105. $signature = $jetpack_signature->sign_request( $token_key, $timestamp, $nonce, $body_hash, $method, $url, $body, false ); 
  106.  
  107. if ( !$signature || is_wp_error( $signature ) ) { 
  108. return $signature; 
  109.  
  110. // Send an Authorization header so various caches/proxies do the right thing 
  111. $auth['signature'] = $signature; 
  112. $auth['version'] = JETPACK__VERSION; 
  113. $header_pieces = array(); 
  114. foreach ( $auth as $key => $value ) { 
  115. $header_pieces[] = sprintf( '%s="%s"', $key, $value ); 
  116. $request['headers'] = array_merge( $args['headers'], array( 
  117. 'Authorization' => "X_JETPACK " . join( ' ', $header_pieces ),  
  118. ) ); 
  119.  
  120. $host = parse_url( $url, PHP_URL_HOST ); 
  121.  
  122. // If we have a JETPACK__WPCOM_JSON_API_HOST_HEADER set, then let's use 
  123. // that, otherwise, let's fallback to the standard. 
  124. if ( defined( 'JETPACK__WPCOM_JSON_API_HOST_HEADER' ) && JETPACK__WPCOM_JSON_API_HOST_HEADER ) { 
  125. $request['headers']['Host'] = JETPACK__WPCOM_JSON_API_HOST_HEADER; 
  126.  
  127. } elseif ( $host === JETPACK__WPCOM_JSON_API_HOST ) { 
  128. $request['headers']['Host'] = 'public-api.wordpress.com'; 
  129.  
  130. if ( 'header' != $args['auth_location'] ) { 
  131. $url = add_query_arg( 'signature', urlencode( $signature ), $url ); 
  132.  
  133. return Jetpack_Client::_wp_remote_request( $url, $request ); 
  134.  
  135. /** 
  136. * Wrapper for wp_remote_request(). Turns off SSL verification for certain SSL errors. 
  137. * This is lame, but many, many, many hosts have misconfigured SSL. 
  138. * When Jetpack is registered, the jetpack_fallback_no_verify_ssl_certs option is set to the current time if: 
  139. * 1. a certificate error is found AND 
  140. * 2. not verifying the certificate works around the problem. 
  141. * The option is checked on each request. 
  142. * @internal 
  143. * @see Jetpack::fix_url_for_bad_hosts() 
  144. * @return array|WP_Error WP HTTP response on success 
  145. */ 
  146. public static function _wp_remote_request( $url, $args, $set_fallback = false ) { 
  147. /** 
  148. * SSL verification (`sslverify`) for the JetpackClient remote request 
  149. * defaults to off, use this filter to force it on. 
  150. * Return `true` to ENABLE SSL verification, return `false` 
  151. * to DISABLE SSL verification. 
  152. * @since 3.6.0 
  153. * @param bool Whether to force `sslverify` or not. 
  154. */ 
  155. if ( apply_filters( 'jetpack_client_verify_ssl_certs', false ) ) { 
  156. return wp_remote_request( $url, $args ); 
  157.  
  158. $fallback = Jetpack_Options::get_option( 'fallback_no_verify_ssl_certs' ); 
  159. if ( false === $fallback ) { 
  160. Jetpack_Options::update_option( 'fallback_no_verify_ssl_certs', 0 ); 
  161.  
  162. if ( (int) $fallback ) { 
  163. // We're flagged to fallback 
  164. $args['sslverify'] = false; 
  165.  
  166. $response = wp_remote_request( $url, $args ); 
  167.  
  168. if ( 
  169. !$set_fallback // We're not allowed to set the flag on this request, so whatever happens happens 
  170. || 
  171. isset( $args['sslverify'] ) && !$args['sslverify'] // No verification - no point in doing it again 
  172. || 
  173. !is_wp_error( $response ) // Let it ride 
  174. ) { 
  175. Jetpack_Client::set_time_diff( $response, $set_fallback ); 
  176. return $response; 
  177.  
  178. // At this point, we're not flagged to fallback and we are allowed to set the flag on this request. 
  179.  
  180. $message = $response->get_error_message(); 
  181.  
  182. // Is it an SSL Certificate verification error? 
  183. if ( 
  184. false === strpos( $message, '14090086' ) // OpenSSL SSL3 certificate error 
  185. && 
  186. false === strpos( $message, '1407E086' ) // OpenSSL SSL2 certificate error 
  187. && 
  188. false === strpos( $message, 'error setting certificate verify locations' ) // cURL CA bundle not found 
  189. && 
  190. false === strpos( $message, 'Peer certificate cannot be authenticated with' ) // cURL CURLE_SSL_CACERT: CA bundle found, but not helpful 
  191. // different versions of curl have different error messages 
  192. // this string should catch them all 
  193. && 
  194. false === strpos( $message, 'Problem with the SSL CA cert' ) // cURL CURLE_SSL_CACERT_BADFILE: probably access rights 
  195. ) { 
  196. // No, it is not. 
  197. return $response; 
  198.  
  199. // Redo the request without SSL certificate verification. 
  200. $args['sslverify'] = false; 
  201. $response = wp_remote_request( $url, $args ); 
  202.  
  203. if ( !is_wp_error( $response ) ) { 
  204. // The request went through this time, flag for future fallbacks 
  205. Jetpack_Options::update_option( 'fallback_no_verify_ssl_certs', time() ); 
  206. Jetpack_Client::set_time_diff( $response, $set_fallback ); 
  207.  
  208. return $response; 
  209.  
  210. public static function set_time_diff( &$response, $force_set = false ) { 
  211. $code = wp_remote_retrieve_response_code( $response ); 
  212.  
  213. // Only trust the Date header on some responses 
  214. if ( 200 != $code && 304 != $code && 400 != $code && 401 != $code ) { 
  215. return; 
  216.  
  217. if ( !$date = wp_remote_retrieve_header( $response, 'date' ) ) { 
  218. return; 
  219.  
  220. if ( 0 >= $time = (int) strtotime( $date ) ) { 
  221. return; 
  222.  
  223. $time_diff = $time - time(); 
  224.  
  225. if ( $force_set ) { // during register 
  226. Jetpack_Options::update_option( 'time_diff', $time_diff ); 
  227. } else { // otherwise 
  228. $old_diff = Jetpack_Options::get_option( 'time_diff' ); 
  229. if ( false === $old_diff || abs( $time_diff - (int) $old_diff ) > 10 ) { 
  230. Jetpack_Options::update_option( 'time_diff', $time_diff ); 
  231.  
  232. /** 
  233. * Query the WordPress.com REST API using the blog token 
  234. * @param string $path 
  235. * @param string $version 
  236. * @param array $args 
  237. * @param string $body 
  238. * @return array|WP_Error $response Data. 
  239. */ 
  240. static function wpcom_json_api_request_as_blog( $path, $version = self::WPCOM_JSON_API_VERSION, $args = array(), $body = null ) { 
  241. $filtered_args = array_intersect_key( $args, array( 
  242. 'method' => 'string',  
  243. 'timeout' => 'int',  
  244. 'redirection' => 'int',  
  245. 'stream' => 'boolean',  
  246. 'filename' => 'string',  
  247. 'sslverify' => 'boolean',  
  248. ) ); 
  249.  
  250. /** 
  251. * Determines whether Jetpack can send outbound https requests to the WPCOM api. 
  252. * @since 3.6.0 
  253. * @param bool $proto Defaults to true. 
  254. */ 
  255. $proto = apply_filters( 'jetpack_can_make_outbound_https', true ) ? 'https' : 'http'; 
  256.  
  257. // unprecedingslashit 
  258. $_path = preg_replace( '/^\//', '', $path ); 
  259.  
  260. // Use GET by default whereas `remote_request` uses POST 
  261. $request_method = ( isset( $filtered_args['method'] ) ) ? $filtered_args['method'] : 'GET'; 
  262.  
  263. $validated_args = array_merge( $filtered_args, array( 
  264. 'url' => sprintf( '%s://%s/rest/v%s/%s', $proto, JETPACK__WPCOM_JSON_API_HOST, $version, $_path ),  
  265. 'blog_id' => (int) Jetpack_Options::get_option( 'id' ),  
  266. 'method' => $request_method,  
  267. ) ); 
  268.  
  269. return Jetpack_Client::remote_request( $validated_args, $body ); 
  270.  
  271. /** 
  272. * Takes an array or similar structure and recursively turns all values into strings. This is used to 
  273. * make sure that body hashes are made ith the string version, which is what will be seen after a 
  274. * server pulls up the data in the $_POST array. 
  275. * @param array|mixed $data 
  276. * @return array|string 
  277. */ 
  278. public static function _stringify_data( $data ) { 
  279.  
  280. // Booleans are special, lets just makes them and explicit 1/0 instead of the 0 being an empty string. 
  281. if ( is_bool( $data ) ) { 
  282. return $data ? "1" : "0"; 
  283.  
  284. // Cast objects into arrays. 
  285. if ( is_object( $data ) ) { 
  286. $data = (array) $data; 
  287.  
  288. // Non arrays at this point should be just converted to strings. 
  289. if ( ! is_array( $data ) ) { 
  290. return (string)$data; 
  291.  
  292. foreach ( $data as $key => &$value ) { 
  293. $value = self::_stringify_data( $value ); 
  294.  
  295. return $data;