Merge pull request #25112 from woocommerce/add/wccom-installer-api-error-code

Improve error codes for plugin installer API authentication
This commit is contained in:
Claudio Sanches 2019-12-02 17:46:31 -03:00 committed by GitHub
commit af849fbd8a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 178 additions and 3 deletions

View File

@ -15,6 +15,8 @@ defined( 'ABSPATH' ) || exit;
*/ */
class WC_WCCOM_Site { class WC_WCCOM_Site {
const AUTH_ERROR_FILTER_NAME = 'wccom_auth_error';
/** /**
* Load the WCCOM site class. * Load the WCCOM site class.
* *
@ -53,23 +55,78 @@ class WC_WCCOM_Site {
$auth_header = self::get_authorization_header(); $auth_header = self::get_authorization_header();
if ( empty( $auth_header ) ) { if ( empty( $auth_header ) ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::NO_AUTH_HEADER_CODE,
WC_REST_WCCOM_Site_Installer_Errors::NO_AUTH_HEADER_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_AUTH_HEADER_HTTP_CODE )
);
}
);
return false; return false;
} }
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$request_auth = trim( $auth_header ); $request_auth = trim( $auth_header );
if ( stripos( $request_auth, 'Bearer ' ) !== 0 ) { if ( stripos( $request_auth, 'Bearer ' ) !== 0 ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::INVALID_AUTH_HEADER_CODE,
WC_REST_WCCOM_Site_Installer_Errors::INVALID_AUTH_HEADER_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::INVALID_AUTH_HEADER_HTTP_CODE )
);
}
);
return false; return false;
} }
if ( empty( $_SERVER['HTTP_X_WOO_SIGNATURE'] ) ) { if ( empty( $_SERVER['HTTP_X_WOO_SIGNATURE'] ) ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HEADER_CODE,
WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HEADER_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HEADER_HTTP_CODE )
);
}
);
return false; return false;
} }
require_once WC_ABSPATH . 'includes/admin/helper/class-wc-helper-options.php'; require_once WC_ABSPATH . 'includes/admin/helper/class-wc-helper-options.php';
$access_token = trim( substr( $request_auth, 7 ) ); $access_token = trim( substr( $request_auth, 7 ) );
$site_auth = WC_Helper_Options::get( 'auth' ); $site_auth = WC_Helper_Options::get( 'auth' );
if ( empty( $site_auth['access_token'] ) || ! hash_equals( $access_token, $site_auth['access_token'] ) ) {
if ( empty( $site_auth['access_token'] ) ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::SITE_NOT_CONNECTED_CODE,
WC_REST_WCCOM_Site_Installer_Errors::SITE_NOT_CONNECTED_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::SITE_NOT_CONNECTED_HTTP_CODE )
);
}
);
return false;
}
if ( ! hash_equals( $access_token, $site_auth['access_token'] ) ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::INVALID_TOKEN_CODE,
WC_REST_WCCOM_Site_Installer_Errors::INVALID_TOKEN_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::INVALID_TOKEN_HTTP_CODE )
);
}
);
return false; return false;
} }
@ -77,11 +134,31 @@ class WC_WCCOM_Site {
$signature = trim( $_SERVER['HTTP_X_WOO_SIGNATURE'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $signature = trim( $_SERVER['HTTP_X_WOO_SIGNATURE'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
if ( ! self::verify_wccom_request( $body, $signature, $site_auth['access_token_secret'] ) ) { if ( ! self::verify_wccom_request( $body, $signature, $site_auth['access_token_secret'] ) ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::REQUEST_VERIFICATION_FAILED_CODE,
WC_REST_WCCOM_Site_Installer_Errors::REQUEST_VERIFICATION_FAILED_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::REQUEST_VERIFICATION_FAILED_HTTP_CODE )
);
}
);
return false; return false;
} }
$user = get_user_by( 'id', $site_auth['user_id'] ); $user = get_user_by( 'id', $site_auth['user_id'] );
if ( ! $user ) { if ( ! $user ) {
add_filter(
self::AUTH_ERROR_FILTER_NAME,
function() {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::USER_NOT_FOUND_CODE,
WC_REST_WCCOM_Site_Installer_Errors::USER_NOT_FOUND_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::USER_NOT_FOUND_HTTP_CODE )
);
}
);
return false; return false;
} }
@ -166,6 +243,7 @@ class WC_WCCOM_Site {
* @return array Registered namespaces. * @return array Registered namespaces.
*/ */
public static function register_rest_namespace( $namespaces ) { public static function register_rest_namespace( $namespaces ) {
require_once WC_ABSPATH . 'includes/wccom-site/rest-api/class-wc-rest-wccom-site-installer-errors.php';
require_once WC_ABSPATH . 'includes/wccom-site/rest-api/endpoints/class-wc-rest-wccom-site-installer-controller.php'; require_once WC_ABSPATH . 'includes/wccom-site/rest-api/endpoints/class-wc-rest-wccom-site-installer-controller.php';
$namespaces['wccom-site/v1'] = array( $namespaces['wccom-site/v1'] = array(

View File

@ -0,0 +1,80 @@
<?php
/**
* WCCOM Site Installer Errors Class
*
* @package WooCommerce\WooCommerce_Site\Rest_Api
* @since 3.9.0
*/
defined( 'ABSPATH' ) || exit;
/**
* WCCOM Site Installer Errors Class
*
* Stores data for errors, returned by installer API.
*/
class WC_REST_WCCOM_Site_Installer_Errors {
/**
* Not unauthenticated generic error
*/
const NOT_AUTHENTICATED_CODE = 'not_authenticated';
const NOT_AUTHENTICATED_MESSAGE = 'Authentication required';
const NOT_AUTHENTICATED_HTTP_CODE = 401;
/**
* No Authorization header
*/
const NO_AUTH_HEADER_CODE = 'no_auth_header';
const NO_AUTH_HEADER_MESSAGE = 'No header "Authorization" present';
const NO_AUTH_HEADER_HTTP_CODE = 400;
/**
* Authorization header invalid
*/
const INVALID_AUTH_HEADER_CODE = 'no_auth_header';
const INVALID_AUTH_HEADER_MESSAGE = 'Header "Authorization" is invalid';
const INVALID_AUTH_HEADER_HTTP_CODE = 400;
/**
* No Signature header
*/
const NO_SIGNATURE_HEADER_CODE = 'no_signature_header';
const NO_SIGNATURE_HEADER_MESSAGE = 'No header "X-Woo-Signature" present';
const NO_SIGNATURE_HEADER_HTTP_CODE = 400;
/**
* Site not connected to WooCommerce.com
*/
const SITE_NOT_CONNECTED_CODE = 'site_not_connnected';
const SITE_NOT_CONNECTED_MESSAGE = 'Site not connected to WooCommerce.com';
const SITE_NOT_CONNECTED_HTTP_CODE = 401;
/**
* Provided access token is not valid
*/
const INVALID_TOKEN_CODE = 'invalid_token';
const INVALID_TOKEN_MESSAGE = 'Invalid access token provided';
const INVALID_TOKEN_HTTP_CODE = 401;
/**
* Request verification by provided signature failed
*/
const REQUEST_VERIFICATION_FAILED_CODE = 'request_verification_failed';
const REQUEST_VERIFICATION_FAILED_MESSAGE = 'Request verification by signature failed';
const REQUEST_VERIFICATION_FAILED_HTTP_CODE = 400;
/**
* User doesn't exist
*/
const USER_NOT_FOUND_CODE = 'user_not_found';
const USER_NOT_FOUND_MESSAGE = 'Token owning user not found';
const USER_NOT_FOUND_HTTP_CODE = 401;
/**
* No permissions error
*/
const NO_PERMISSION_CODE = 'forbidden';
const NO_PERMISSION_MESSAGE = 'You do not have permission to install plugin or theme';
const NO_PERMISSION_HTTP_CODE = 403;
}

View File

@ -69,8 +69,25 @@ class WC_REST_WCCOM_Site_Installer_Controller extends WC_REST_Controller {
* @return bool|WP_Error * @return bool|WP_Error
*/ */
public function check_permission( $request ) { public function check_permission( $request ) {
if ( ! current_user_can( 'install_plugins' ) || ! current_user_can( 'install_themes' ) ) { $current_user = wp_get_current_user();
return new WP_Error( 'woocommerce_rest_cannot_install_product', __( 'You do not have permission to install plugin or theme', 'woocommerce' ), array( 'status' => 401 ) );
if ( empty( $current_user ) || ( $current_user instanceof WP_User && ! $current_user->exists() ) ) {
return apply_filters(
WC_WCCOM_Site::AUTH_ERROR_FILTER_NAME,
new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::NOT_AUTHENTICATED_CODE,
WC_REST_WCCOM_Site_Installer_Errors::NOT_AUTHENTICATED_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NOT_AUTHENTICATED_HTTP_CODE )
)
);
}
if ( ! user_can( $current_user, 'install_plugins' ) || ! user_can( $current_user, 'install_themes' ) ) {
return new WP_Error(
WC_REST_WCCOM_Site_Installer_Errors::NO_PERMISSION_CODE,
WC_REST_WCCOM_Site_Installer_Errors::NO_PERMISSION_MESSAGE,
array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_PERMISSION_HTTP_CODE )
);
} }
return true; return true;