SSO: add existing SSO classes to the Connection package. (#36587)

* SSO: add classes to Connection package.

* Add CSS and JS files

* Fix enqueues

* lowercase_p_dangit();

* changelog

* Bring changes over from module

* fix class references

* Bump version

* Add missing dependency

* Address Phan warnings

* Update Phan baseline

* Update lock files

* Update more Phan baselines

* changelog

* Bump versions

* Fix body type

* Add tests

* Limit to Jetpack plugin for now

The class still relies on Jetpack classes.

* Try to fix tests

* Fix test pollution

* Bring in change from #36589

* Bring in changes from #36605

* Fix user invite box id reference

* Update baseline for packages/backup

* Bring in changes from #36690

* Update class reference

See #36587 (comment)

* Fix namespace

See   #36587 (comment)

* Update Phan config

* Update Phan config again

* More Phan config updates

* changelog

* Update projects/packages/connection/src/sso/class-sso.php

Co-authored-by: Sergey Mitroshin <[email protected]>

* Bump versions

* Ensure generated files are loaded properly

* Bump versions

* Fix asset generation and update to use Assets class

* Bump version

---------

Co-authored-by: Brad Jorsch <[email protected]>
Co-authored-by: sergeymitr <[email protected]>

projects/packages/backup/.phan/baseline.php

@@ -10,16 +10,16 @@
 return [
     // # Issue statistics:
     // PhanTypeMismatchReturnProbablyReal : 15+ occurrences
-    // PhanTypeMismatchArgumentProbablyReal : 8 occurrences
     // PhanTypeMismatchReturn : 6 occurrences
+    // PhanTypeMismatchArgumentProbablyReal : 3 occurrences
     // PhanUndeclaredStaticMethod : 2 occurrences
     // PhanPossiblyUndeclaredVariable : 1 occurrence
     // PhanUndeclaredClassMethod : 1 occurrence
 
     // Currently, file_suppressions and directory_suppressions are the only supported suppressions
     'file_suppressions' => [
         'src/class-jetpack-backup.php' => ['PhanPossiblyUndeclaredVariable', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal', 'PhanUndeclaredClassMethod', 'PhanUndeclaredStaticMethod'],
-        'src/class-rest-controller.php' => ['PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal'],
+        'src/class-rest-controller.php' => ['PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal'],
     ],
     // 'directory_suppressions' => ['src/directory_name' => ['PhanIssueName1', 'PhanIssueName2']] can be manually added if needed.
     // (directory_suppressions will currently be ignored by subsequent calls to --save-baseline, but may be preserved in future Phan releases)

projects/packages/backup/changelog/add-sso-classes-connection

@@ -0,0 +1,5 @@
+Significance: patch
+Type: changed
+Comment: Phan: update baseline files
+
+

projects/packages/backup/src/class-package-version.php

@@ -16,7 +16,7 @@
  */
 class Package_Version {
 
-	const PACKAGE_VERSION = '3.3.7';
+	const PACKAGE_VERSION = '3.3.8-alpha';
 
 	const PACKAGE_SLUG = 'backup';
 

projects/packages/connection/.gitattributes

@@ -10,8 +10,10 @@ tests/           export-ignore
 /dist/**         production-include
 
 # Files not needed in the production build.
-.phpcs.dir.xml     production-exclude
-/changelog/**      production-exclude
-.gitignore         production-exclude
-src/js/**          production-exclude
-webpack.config.js  production-exclude
+.phpcs.dir.xml    production-exclude
+/changelog/**     production-exclude
+.gitignore        production-exclude
+src/js/**         production-exclude
+webpack.config.js production-exclude
+/dist/*.css.map   production-exclude
+/dist/*.js.map    production-exclude

projects/packages/connection/.phan/baseline.php

@@ -12,19 +12,19 @@
     // PhanTypeMismatchArgument : 55+ occurrences
     // PhanParamTooMany : 40+ occurrences
     // PhanUndeclaredMethod : 35+ occurrences
+    // PhanTypeMismatchArgumentProbablyReal : 20+ occurrences
     // PhanDeprecatedFunction : 15+ occurrences
     // PhanPluginDuplicateConditionalNullCoalescing : 15+ occurrences
-    // PhanTypeMismatchArgumentProbablyReal : 15+ occurrences
     // PhanTypeMismatchReturn : 15+ occurrences
     // PhanUndeclaredClassMethod : 15+ occurrences
     // PhanTypeMismatchProperty : 9 occurrences
     // PhanTypeMismatchPropertyProbablyReal : 9 occurrences
+    // PhanNoopNew : 8 occurrences
     // PhanTypeMismatchReturnProbablyReal : 8 occurrences
     // PhanUndeclaredProperty : 8 occurrences
-    // PhanNoopNew : 6 occurrences
+    // PhanRedundantCondition : 5 occurrences
     // PhanTypeArraySuspiciousNullable : 5 occurrences
     // PhanTypeMismatchDefault : 5 occurrences
-    // PhanRedundantCondition : 4 occurrences
     // PhanTypeMismatchArgumentInternal : 4 occurrences
     // PhanTypeMismatchArgumentNullable : 4 occurrences
     // PhanTypeObjectUnsetDeclaredProperty : 3 occurrences
@@ -33,6 +33,7 @@
     // PhanCommentParamWithoutRealParam : 2 occurrences
     // PhanImpossibleCondition : 2 occurrences
     // PhanNonClassMethodCall : 2 occurrences
+    // PhanPluginUnreachableCode : 2 occurrences
     // PhanPossiblyUndeclaredVariable : 2 occurrences
     // PhanTypeMismatchPropertyDefault : 2 occurrences
     // PhanTypeMismatchReturnNullable : 2 occurrences
@@ -72,10 +73,13 @@
         'src/class-secrets.php' => ['PhanCommentParamWithoutRealParam', 'PhanNonClassMethodCall', 'PhanTypeMismatchArgument'],
         'src/class-server-sandbox.php' => ['PhanPluginDuplicateConditionalNullCoalescing', 'PhanTypeMismatchArgument'],
         'src/class-tokens.php' => ['PhanImpossibleTypeComparison', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchReturn', 'PhanTypeMismatchReturnProbablyReal'],
-        'src/class-tracking.php' => ['PhanPluginDuplicateConditionalNullCoalescing', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchDefault', 'PhanTypePossiblyInvalidDimOffset', 'PhanUndeclaredClassMethod'],
+        'src/class-tracking.php' => ['PhanPluginDuplicateConditionalNullCoalescing', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchDefault', 'PhanTypePossiblyInvalidDimOffset'],
         'src/class-urls.php' => ['PhanTypeSuspiciousStringExpression', 'PhanUndeclaredFunctionInCallable'],
         'src/class-webhooks.php' => ['PhanTypeMismatchArgumentProbablyReal'],
         'src/class-xmlrpc-connector.php' => ['PhanUndeclaredTypeReturnType'],
+        'src/sso/class-helpers.php' => ['PhanTypeMismatchArgumentProbablyReal'],
+        'src/sso/class-sso.php' => ['PhanNoopNew', 'PhanRedundantCondition', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentProbablyReal', 'PhanUndeclaredClassMethod'],
+        'src/sso/class-user-admin.php' => ['PhanPluginUnreachableCode', 'PhanTypeMismatchArgument'],
         'src/webhooks/class-authorize-redirect.php' => ['PhanTypeMismatchArgumentNullable', 'PhanTypeMismatchProperty', 'PhanUndeclaredClassMethod', 'PhanUndeclaredClassReference', 'PhanUndeclaredTypeProperty'],
         'tests/php/test-class-nonce-handler.php' => ['PhanPluginDuplicateAdjacentStatement', 'PhanTypeMismatchArgument'],
         'tests/php/test-class-plugin.php' => ['PhanUndeclaredTypeThrowsType'],

projects/packages/connection/changelog/add-sso-classes-connection

@@ -0,0 +1,4 @@
+Significance: patch
+Type: added
+
+SSO: add SSO feature to the package.

projects/packages/connection/composer.json

@@ -7,6 +7,7 @@
 		"php": ">=7.0",
 		"automattic/jetpack-a8c-mc-stats": "@dev",
 		"automattic/jetpack-admin-ui": "@dev",
+		"automattic/jetpack-assets": "@dev",
 		"automattic/jetpack-constants": "@dev",
 		"automattic/jetpack-roles": "@dev",
 		"automattic/jetpack-status": "@dev",

projects/packages/connection/src/class-client.php

@@ -408,11 +408,11 @@ public static function validate_args_for_wpcom_json_api_request(
 	/**
 	 * Queries the WordPress.com REST API with a user token.
 	 *
-	 * @param  string $path             REST API path.
-	 * @param  string $version          REST API version. Default is `2`.
-	 * @param  array  $args             Arguments to {@see WP_Http}. Default is `array()`.
-	 * @param  string $body             Body passed to {@see WP_Http}. Default is `null`.
-	 * @param  string $base_api_path    REST API root. Default is `wpcom`.
+	 * @param string            $path             REST API path.
+	 * @param string            $version          REST API version. Default is `2`.
+	 * @param array             $args             Arguments to {@see WP_Http}. Default is `array()`.
+	 * @param null|string|array $body       Body passed to {@see WP_Http}. Default is `null`.
+	 * @param string            $base_api_path    REST API root. Default is `wpcom`.
 	 *
 	 * @return array|WP_Error $response Response data, else {@see WP_Error} on failure.
 	 */

projects/packages/connection/src/class-package-version.php

@@ -12,7 +12,7 @@
  */
 class Package_Version {
 
-	const PACKAGE_VERSION = '2.7.1';
+	const PACKAGE_VERSION = '2.7.2-alpha';
 
 	const PACKAGE_SLUG = 'connection';
 

projects/packages/connection/src/sso/class-force-2fa.php

@@ -0,0 +1,182 @@
+<?php
+/**
+ * Force Jetpack 2FA Functionality
+ *
+ * Ported from original repo at https://github.com/automattic/jetpack-force-2fa
+ *
+ * @package automattic/jetpack-connection
+ */
+
+namespace Automattic\Jetpack\Connection\SSO;
+
+use Automattic\Jetpack\Connection\SSO;
+use Automattic\Jetpack\Modules;
+use WP_Error;
+
+/**
+ * Force users to use two factor authentication.
+ */
+class Force_2FA {
+	/**
+	 * The role to force 2FA for.
+	 *
+	 * Defaults to manage_options via the plugins_loaded function.
+	 * Can be modified with the jetpack_force_2fa_cap filter.
+	 *
+	 * @var string
+	 */
+	private $role;
+
+	/**
+	 * Constructor.
+	 */
+	public function __construct() {
+		add_action( 'after_setup_theme', array( $this, 'plugins_loaded' ) );
+	}
+
+	/**
+	 * Load the plugin via the plugins_loaded hook.
+	 */
+	public function plugins_loaded() {
+		/**
+		 * Filter the role to force 2FA for.
+		 * Defaults to manage_options.
+		 *
+		 * @param string $role The role to force 2FA for.
+		 * @return string
+		 * @since jetpack-12.7
+		 * @module SSO
+		 */
+		$this->role = apply_filters( 'jetpack_force_2fa_cap', 'manage_options' );
+
+		// Bail if Jetpack SSO is not active
+		if (
+			! class_exists( 'Jetpack' )
+			|| ! ( new Modules() )->is_active( 'sso' )
+		) {
+			add_action( 'admin_notices', array( $this, 'admin_notice' ) );
+			return;
+		}
+
+		$this->force_2fa();
+	}
+
+	/**
+	 * Display an admin notice if Jetpack SSO is not active.
+	 */
+	public function admin_notice() {
+		/**
+		 * Filter if an admin notice is deplayed when Force 2FA is required, but SSO is not enabled.
+		 * Defaults to true.
+		 *
+		 * @param bool $display_notice Whether to display the notice.
+		 * @return bool
+		 * @since jetpack-12.7
+		 * @module SSO
+		 */
+		if ( apply_filters( 'jetpack_force_2fa_dependency_notice', true ) && current_user_can( $this->role ) ) {
+			printf( '<div class="%1$s"><p>%2$s</p></div>', 'notice notice-warning', 'Jetpack Force 2FA requires Jetpack and the Jetpack SSO module.' );
+		}
+	}
+
+	/**
+	 * Force 2FA when using Jetpack SSO and force Jetpack SSO.
+	 *
+	 * @return void
+	 */
+	private function force_2fa() {
+		// Allows WP.com login to a local account if it matches the local account.
+		add_filter( 'jetpack_sso_match_by_email', '__return_true', 9999 );
+
+		// multisite
+		if ( is_multisite() ) {
+
+			// Hide the login form
+			add_filter( 'jetpack_remove_login_form', '__return_true', 9999 );
+			add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true', 9999 );
+			add_filter( 'jetpack_sso_display_disclaimer', '__return_false', 9999 );
+
+			add_filter(
+				'wp_authenticate_user',
+				function () {
+					return new WP_Error( 'wpcom-required', $this->get_login_error_message() ); },
+				9999
+			);
+
+			add_filter( 'jetpack_sso_require_two_step', '__return_true' );
+
+			add_filter( 'allow_password_reset', '__return_false' );
+		} else {
+			// Not multisite.
+
+			// Completely disable the standard login form for admins.
+			add_filter(
+				'wp_authenticate_user',
+				function ( $user ) {
+					if ( is_wp_error( $user ) ) {
+						return $user;
+					}
+					if ( $user->has_cap( $this->role ) ) {
+						return new WP_Error( 'wpcom-required', $this->get_login_error_message(), $user->user_login );
+					}
+					return $user;
+				},
+				9999
+			);
+
+			add_filter(
+				'allow_password_reset',
+				function ( $allow, $user_id ) {
+					if ( user_can( $user_id, $this->role ) ) {
+						return false;
+					}
+					return $allow; },
+				9999,
+				2
+			);
+
+			add_action( 'jetpack_sso_pre_handle_login', array( $this, 'jetpack_set_two_step' ) );
+		}
+	}
+
+	/**
+	 * Specifically set the two step filter for Jetpack SSO.
+	 *
+	 * @param Object $user_data The user data from WordPress.com.
+	 *
+	 * @return void
+	 */
+	public function jetpack_set_two_step( $user_data ) {
+		$user = SSO::get_user_by_wpcom_id( $user_data->ID );
+
+		// Borrowed from Jetpack. Ignores the match_by_email setting.
+		if ( empty( $user ) ) {
+			$user = get_user_by( 'email', $user_data->email );
+		}
+
+		if ( $user && $user->has_cap( $this->role ) ) {
+			add_filter( 'jetpack_sso_require_two_step', '__return_true' );
+		}
+	}
+
+	/**
+	 * Get the login error message.
+	 *
+	 * @return string
+	 */
+	private function get_login_error_message() {
+		/**
+		 * Filter the login error message.
+		 * Defaults to a message that explains the user must use a WordPress.com account with 2FA enabled.
+		 *
+		 * @param string $message The login error message.
+		 * @return string
+		 * @since jetpack-12.7
+		 * @module SSO
+		 */
+		return apply_filters(
+			'jetpack_force_2fa_login_error_message',
+			sprintf( 'For added security, please log in using your WordPress.com account.<br /><br />Note: Your account must have <a href="%1$s" target="_blank">Two Step Authentication</a> enabled, which can be configured from <a href="%2$s" target="_blank">Security Settings</a>.', 'https://support.wordpress.com/security/two-step-authentication/', 'https://wordpress.com/me/security/two-step' )
+		);
+	}
+}