Jetpack Connection: Add inline comments when whole input is processed

[fgiannar]

We are adding inline comments in the Connection package to explain cases where the whole $_POST input is used.
We are also refactoring setup_xmlrpc_handlers in Manager class to avoid using the whole $_POST input.

Proposed changes:

• Jetpack_Signature::sign_current_request: We need the whole $_POST in order to verify a cryptographic signature of the post data.
• Automattic\Jetpack\Connection\Manager::internal_verify_xml_rpc_signature: We need the whole $_POST in order to verify a cryptographic signature of the post data.
• Automattic\Jetpack\Connection\Manager::setup_xmlrpc_handlers: Deprecate the $request_params method argument and check for $_GET['for'] and $_GET['jetpack'] inside the method instead. I've audited the usage of this method and confirmed it's used only by the same class.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

p9dueE-8ca-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• For the inline comments: Code Review: Do you believe we need further explanation?
• For the change in setup_xmlrpc_handlers: I believe the best way to test this change (apart from the code review) would be to use the JP Debugger and confirm the same results for a given site with/without the PR applied. The JP Debugger will make a bunch of REST and XML-RPC requests to the site with/without authentication too. Also make sure to set the site to use the alternate XML-RPC url in order to set the comms param is properly checked too.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the update/connection-processing-whole-input-comments branch.

  • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack update/connection-processing-whole-input-comments
  

  bin/jetpack-downloader test jetpack-mu-wpcom-plugin update/connection-processing-whole-input-comments
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen daily.
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly. The next release is scheduled for June 4, 2024 (scheduled code freeze on June 3, 2024).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[bindlegirl]

LGTM but maybe @jeherve will have more advice

[fgiannar]

LGTM but maybe @jeherve will have more advice

Thanks Ana! I moved it back to In progress in order to address a few more cases @darssen discovered in the linked issue

[sergeymitr]

The code looks great, works as expected 👍

[anomiex]

This won't work right, for two reasons:

1. You need to put $_REQUEST first so it uses the values from the request.
2. The $request_params_needed_for_auth needs to have keys 'data', 'nonce', and so on. So either define it like 'data' => true, or use array_flip( $request_params_needed_for_auth ).

As written, $environment will probably be empty. If there's a $_REQUEST[0] or the like, it might be array( 0 => 'data' ) or the like.

[sergeymitr]

Good catch, thanks Brad!

[fgiannar]

Thank you Brad and Sergey and apologies for any trouble caused.

I decided to keep things simple and removed the whole logic of extracting the auth request params in verify_json_api_authorization_request so we can focus on exactly what the original issue was about.
The debugger related test instructions/unit tests are only applicable for deprecating the input arg in setup_xmlrpc_handlers anyways.

I also audited where we actually use verify_json_api_authorization_request and it looks like it’s mainly under the context of SSO anyways where the $environment is passed here.
The other usage, comes from Jetpack-the-plugin as an action handler for login_form_jetpack_json_api_authorization here

Final PR: #37445