Openid-3.6.1 and jetpack-11.0 upgrade

Signed-off-by: Yury German <blueknight@gentoo.org>

1 files changed, 97 insertions, 1 deletions

diff --git a/plugins/jetpack/jetpack_vendor/automattic/jetpack-connection/src/class-tokens.php b/plugins/jetpack/jetpack_vendor/automattic/jetpack-connection/src/class-tokens.php
index 38fb58d4..4a752def 100644
--- a/plugins/jetpack/jetpack_vendor/automattic/jetpack-connection/src/class-tokens.php
+++ b/plugins/jetpack/jetpack_vendor/automattic/jetpack-connection/src/class-tokens.php
@@ -9,6 +9,9 @@ namespace Automattic\Jetpack\Connection;
 
 use Automattic\Jetpack\Constants;
 use Automattic\Jetpack\Roles;
+use DateInterval;
+use DateTime;
+use Exception;
 use Jetpack_Options;
 use WP_Error;
 
@@ -20,6 +23,11 @@ class Tokens {
 	const MAGIC_NORMAL_TOKEN_KEY = ';normal;';
 
 	/**
+	 * Datetime format.
+	 */
+	const DATE_FORMAT_ATOM = 'Y-m-d\TH:i:sP';
+
+	/**
 	 * Deletes all connection tokens and transients from the local Jetpack site.
 	 */
 	public function delete_all() {
@@ -30,6 +38,8 @@ class Tokens {
 				'user_tokens',
 			)
 		);
+
+		$this->remove_lock();
 	}
 
 	/**
@@ -58,7 +68,7 @@ class Tokens {
 		// Cannot validate non-existent tokens.
 		if ( false === $user_token || false === $blog_token ) {
 			return false;
-		};
+		}
 
 		$method   = 'POST';
 		$body     = array(
@@ -357,6 +367,11 @@ class Tokens {
 	 * @return object|false
 	 */
 	public function get_access_token( $user_id = false, $token_key = false, $suppress_errors = true ) {
+		if ( $this->is_locked() ) {
+			$this->delete_all();
+			return false;
+		}
+
 		$possible_special_tokens = array();
 		$possible_normal_tokens  = array();
 		$user_tokens             = $this->get_user_tokens();
@@ -592,4 +607,85 @@ class Tokens {
 	public function update_user_tokens( $tokens ) {
 		return Jetpack_Options::update_option( 'user_tokens', $tokens );
 	}
+
+	/**
+	 * Lock the tokens to the current site URL.
+	 *
+	 * @param int $timespan How long the tokens should be locked, in seconds.
+	 *
+	 * @return bool
+	 */
+	public function set_lock( $timespan = HOUR_IN_SECONDS ) {
+		try {
+			$expires = ( new DateTime() )->add( DateInterval::createFromDateString( (int) $timespan . ' seconds' ) );
+		} catch ( Exception $e ) {
+			return false;
+		}
+
+		if ( false === $expires ) {
+			return false;
+		}
+
+		// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+		return Jetpack_Options::update_option( 'token_lock', $expires->format( static::DATE_FORMAT_ATOM ) . '|||' . base64_encode( Urls::site_url() ) );
+	}
+
+	/**
+	 * Remove the site lock from tokens.
+	 *
+	 * @return bool
+	 */
+	public function remove_lock() {
+		Jetpack_Options::delete_option( 'token_lock' );
+
+		return true;
+	}
+
+	/**
+	 * Check if the domain is locked, remove the lock if needed.
+	 * Possible scenarios:
+	 * - lock expired, site URL matches the lock URL: remove the lock, return false.
+	 * - lock not expired, site URL matches the lock URL: return false.
+	 * - site URL does not match the lock URL (expiration date is ignored): return true, do not remove the lock.
+	 *
+	 * @return bool
+	 */
+	public function is_locked() {
+		$the_lock = Jetpack_Options::get_option( 'token_lock' );
+		if ( ! $the_lock ) {
+			// Not locked.
+			return false;
+		}
+
+		$the_lock = explode( '|||', $the_lock, 2 );
+		if ( count( $the_lock ) !== 2 ) {
+			// Something's wrong with the lock.
+			$this->remove_lock();
+			return false;
+		}
+
+		// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
+		$locked_site_url = base64_decode( $the_lock[1] );
+		$expires         = $the_lock[0];
+
+		$expiration_date = DateTime::createFromFormat( static::DATE_FORMAT_ATOM, $expires );
+		if ( false === $expiration_date || ! $locked_site_url ) {
+			// Something's wrong with the lock.
+			$this->remove_lock();
+			return false;
+		}
+
+		if ( Urls::site_url() === $locked_site_url ) {
+			if ( new DateTime() > $expiration_date ) {
+				// Site lock expired.
+				// Site URL matches, removing the lock.
+				$this->remove_lock();
+			}
+
+			return false;
+		}
+
+		// Site URL doesn't match.
+		return true;
+	}
 }