Code Coverage for projects/packages/waf/src/class-brute-force-protection.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	7.87% covered (danger)	7.87%	30 / 381	2.50% covered (danger)	2.50%	1 / 40	CRAP	0.00% covered (danger)	0.00%	0 / 1
Brute_Force_Protection	7.87% covered (danger)	7.87%	30 / 381	2.50% covered (danger)	2.50%	1 / 40	21711.80	0.00% covered (danger)	0.00%	0 / 1
instance	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	6
__construct	0.00% covered (danger)	0.00%	0 / 15	0.00% covered (danger)	0.00%	0 / 1	12
initialize	42.86% covered (danger)	42.86%	3 / 7	0.00% covered (danger)	0.00%	0 / 1	12.72
on_activation	0.00% covered (danger)	0.00%	0 / 4	0.00% covered (danger)	0.00%	0 / 1	20
on_deactivation	0.00% covered (danger)	0.00%	0 / 2	0.00% covered (danger)	0.00%	0 / 1	12
is_enabled	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
enable	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	6
disable	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	6
maybe_get_protect_key	0.00% covered (danger)	0.00%	0 / 5	0.00% covered (danger)	0.00%	0 / 1	12
maybe_update_headers	0.00% covered (danger)	0.00%	0 / 10	0.00% covered (danger)	0.00%	0 / 1	72
maybe_display_security_warning	0.00% covered (danger)	0.00%	0 / 11	0.00% covered (danger)	0.00%	0 / 1	56
prepare_jetpack_protect_multisite_notice	0.00% covered (danger)	0.00%	0 / 4	0.00% covered (danger)	0.00%	0 / 1	6
ajax_dismiss_handler	0.00% covered (danger)	0.00%	0 / 5	0.00% covered (danger)	0.00%	0 / 1	6
admin_jetpack_manage_notice	0.00% covered (danger)	0.00%	0 / 27	0.00% covered (danger)	0.00%	0 / 1	6
get_active_plugins	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	12
deactivate_plugin	0.00% covered (danger)	0.00%	0 / 8	0.00% covered (danger)	0.00%	0 / 1	20
get_protect_key	0.00% covered (danger)	0.00%	0 / 33	0.00% covered (danger)	0.00%	0 / 1	72
log_failed_attempt	85.71% covered (warning)	85.71%	12 / 14	0.00% covered (danger)	0.00%	0 / 1	8.19
modules_loaded	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
log_successful_login	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	6
check_preauth	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	30
get_headers	0.00% covered (danger)	0.00%	0 / 24	0.00% covered (danger)	0.00%	0 / 1	12
ip_allow_list_enabled	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
ip_is_whitelisted		n/a	0 / 0		n/a	0 / 0	1
ip_is_allowed	0.00% covered (danger)	0.00%	0 / 15	0.00% covered (danger)	0.00%	0 / 1	210
check_login_ability	0.00% covered (danger)	0.00%	0 / 16	0.00% covered (danger)	0.00%	0 / 1	72
is_current_ip_whitelisted		n/a	0 / 0		n/a	0 / 0	1
is_current_ip_allowed	0.00% covered (danger)	0.00%	0 / 13	0.00% covered (danger)	0.00%	0 / 1	30
has_login_ability	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	20
get_cached_status	0.00% covered (danger)	0.00%	0 / 5	0.00% covered (danger)	0.00%	0 / 1	6
block_with_math	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	6
kill_login	0.00% covered (danger)	0.00%	0 / 18	0.00% covered (danger)	0.00%	0 / 1	90
check_use_math	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	6
get_main_blog_id	0.00% covered (danger)	0.00%	0 / 4	0.00% covered (danger)	0.00%	0 / 1	6
get_main_blog_jetpack_id	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	6
check_api_key	0.00% covered (danger)	0.00%	0 / 10	0.00% covered (danger)	0.00%	0 / 1	30
protect_call	0.00% covered (danger)	0.00%	0 / 45	0.00% covered (danger)	0.00%	0 / 1	132
get_transient_name	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	2
set_transient	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	12
delete_transient	33.33% covered (danger)	33.33%	2 / 6	0.00% covered (danger)	0.00%	0 / 1	5.67
get_transient	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	12
get_local_host	80.00% covered (warning)	80.00%	12 / 15	0.00% covered (danger)	0.00%	0 / 1	6.29

1	<?php
2	/**
3	* Class used to define Brute Force Protection.
4	*
5	* @package automattic/jetpack-waf
6	*/
7
8	namespace Automattic\Jetpack\Waf\Brute_Force_Protection;
9
10	use Automattic\Jetpack\Connection\Manager as Connection_Manager;
11	use Automattic\Jetpack\Constants;
12	use Automattic\Jetpack\CookieState;
13	use Automattic\Jetpack\IP\Utils as IP_Utils;
14	use Automattic\Jetpack\Modules;
15	use Automattic\Jetpack\Waf\Waf_Compatibility;
16	use Automattic\Jetpack\Waf\Waf_Constants;
17	use Automattic\Jetpack\Waf\Waf_Rules_Manager;
18	use Jetpack_IXR_Client;
19	use Jetpack_Options;
20	use WP_Error;
21
22	/**
23	* Brute Force Protection class.
24	*
25	* @phan-constructor-used-for-side-effects
26	*/
27	class Brute_Force_Protection {
28
29	/**
30	* Instance of the class.
31	*
32	* @var Brute_Force_Protection
33	*/
34	private static $instance = null;
35
36	/**
37	* API Key.
38	*
39	* @var string
40	*/
41	public $api_key;
42
43	/**
44	* API Key error.
45	*
46	* @var string
47	*/
48	public $api_key_error;
49
50	/**
51	* IP allow list.
52	*
53	* @var array
54	*/
55	public $allow_list;
56
57	/**
58	* IP allow list error.
59	*
60	* @var string
61	*/
62	public $allow_list_error;
63
64	/**
65	* IP allow list saved
66	*
67	* @todo find out if this is even used.
68	*
69	* @var array
70	*/
71	public $allow_list_saved;
72
73	/**
74	* The URI.
75	*
76	* @var string
77	*/
78	private $local_host;
79
80	/**
81	* Last request.
82	*
83	* @todo find out if this is even used.
84	*
85	* @var string
86	*/
87	public $last_request;
88
89	/**
90	* Response fetched from wp_remote_post()
91	*
92	* @var array
93	*/
94	public $last_response_raw;
95
96	/**
97	* Last response.
98	*
99	* @todo find out if this is used.
100	* @var array
101	*/
102	public $last_response;
103
104	/**
105	* Block login with math, default is 1.
106	*
107	* @var int
108	*/
109	private $block_login_with_math;
110
111	/**
112	* Singleton implementation
113	*
114	* @return object
115	*/
116	public static function instance() {
117	if ( ! is_a( self::$instance, 'Brute_Force_Protection' ) ) {
118	self::$instance = new Brute_Force_Protection();
119	}
120
121	return self::$instance;
122	}
123
124	/**
125	* Registers actions
126	*/
127	private function __construct() {
128	// Older versions of Jetpack initialize brute force protection directly in the plugin.
129	// Return early to avoid running it twice.
130	if ( Waf_Compatibility::is_brute_force_running_in_jetpack() ) {
131	return;
132	}
133
134	add_action( 'jetpack_modules_loaded', array( $this, 'modules_loaded' ) );
135	add_action( 'login_form', array( $this, 'check_use_math' ), 0 );
136	add_filter( 'authenticate', array( $this, 'check_preauth' ), 10, 3 );
137	add_filter( 'jetpack_has_login_ability', array( $this, 'has_login_ability' ) );
138	add_action( 'wp_login', array( $this, 'log_successful_login' ), 10, 2 );
139	add_action( 'wp_login_failed', array( $this, 'log_failed_attempt' ), 10, 2 );
140	add_action( 'admin_init', array( $this, 'maybe_update_headers' ) );
141	add_action( 'admin_init', array( $this, 'maybe_display_security_warning' ) );
142
143	// This is a backup in case $pagenow fails for some reason.
144	add_action( 'login_form', array( $this, 'check_login_ability' ), 1 );
145
146	// Runs a script every day to clean up expired transients so they don't
147	// clog up our users' databases.
148	add_action( 'admin_init', array( '\Automattic\Jetpack\Waf\Brute_Force_Protection\Brute_Force_Protection_Transient_Cleanup', 'jp_purge_transients_activation' ) );
149	add_action( 'jp_purge_transients_cron', array( '\Automattic\Jetpack\Waf\Brute_Force_Protection\Brute_Force_Protection_Transient_Cleanup', 'jp_purge_transients' ) );
150
151	// Load math fallback after math page form submission.
152	if ( isset( $_POST['jetpack_protect_process_math_form'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- POST request just determines if we need to use Math for Authentication.
153
154	new Brute_Force_Protection_Math_Authenticate();
155	}
156	}
157
158	/**
159	* Run brute force protection.
160	*
161	* @return void
162	*/
163	public static function initialize() {
164	// Older versions of Jetpack initialize brute force protection directly in the plugin.
165	// Return early to avoid running it twice.
166	if ( Waf_Compatibility::is_brute_force_running_in_jetpack() ) {
167	return;
168	}
169
170	$brute_force_protection_is_enabled = self::is_enabled();
171	if ( $brute_force_protection_is_enabled && ( new Connection_Manager() )->is_connected() ) {
172	global $pagenow;
173	$brute_force_protection = self::instance();
174
175	if ( isset( $pagenow ) && 'wp-login.php' === $pagenow ) {
176	$brute_force_protection->check_login_ability();
177	}
178	}
179	}
180
181	/**
182	* On module activation, try to get an api key
183	*/
184	public function on_activation() {
185	if ( is_multisite() && is_main_site() && get_site_option( 'jetpack_protect_active', 0 ) == 0 ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
186	update_site_option( 'jetpack_protect_active', 1 );
187	}
188
189	update_site_option( 'jetpack_protect_activating', 'activating' );
190
191	// Get BruteProtect's counter number.
192	$this->protect_call( 'check_key' );
193	}
194
195	/**
196	* On module deactivation, unset protect_active
197	*/
198	public function on_deactivation() {
199	if ( is_multisite() && is_main_site() ) {
200	update_site_option( 'jetpack_protect_active', 0 );
201	}
202	}
203
204	/**
205	* Determines if the brute force protection module is enabled on the site.
206	*
207	* @return bool
208	*/
209	public static function is_enabled() {
210	return ( new Modules() )->is_active( 'protect' );
211	}
212
213	/**
214	* Enables the brute force protection module.
215	*
216	* @return bool
217	*/
218	public static function enable() {
219	// Return true if already enabled.
220	if ( self::is_enabled() ) {
221	return true;
222	}
223	return ( new Modules() )->activate( 'protect', false, false );
224	}
225
226	/**
227	* Disables the brute force protection module.
228	*
229	* @return bool
230	*/
231	public static function disable() {
232	// Return true if already disabled.
233	if ( ! self::is_enabled() ) {
234	return true;
235	}
236	return ( new Modules() )->deactivate( 'protect' );
237	}
238
239	/**
240	* Get the protect key,
241	*/
242	public function maybe_get_protect_key() {
243	if ( get_site_option( 'jetpack_protect_activating', false ) && ! get_site_option( 'jetpack_protect_key', false ) ) {
244	$key = $this->get_protect_key();
245	delete_site_option( 'jetpack_protect_activating' );
246	return $key;
247	}
248
249	return get_site_option( 'jetpack_protect_key' );
250	}
251
252	/**
253	* Sends a "check_key" API call once a day. This call allows us to track IP-related
254	* headers for this server via the Protect API, in order to better identify the source
255	* IP for login attempts
256	*
257	* @param bool $force - if we're forcing the request.
258	*/
259	public function maybe_update_headers( $force = false ) {
260	$updated_recently = $this->get_transient( 'jpp_headers_updated_recently' );
261
262	if ( ! $force ) {
263	if ( isset( $_GET['protect_update_headers'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- this doesn't change anything, just forces the once-a-day check to run via force if set.
264	$force = true;
265	}
266	}
267
268	// check that current user is admin so we prevent a lower level user from adding
269	// a trusted header, allowing them to brute force an admin account.
270	if ( ( $updated_recently && ! $force ) \|\| ! current_user_can( 'update_plugins' ) ) {
271	return;
272	}
273
274	$response = self::protect_call( 'check_key' );
275	$this->set_transient( 'jpp_headers_updated_recently', 1, DAY_IN_SECONDS );
276
277	if ( isset( $response['msg'] ) && $response['msg'] ) {
278	update_site_option( 'trusted_ip_header', json_decode( $response['msg'] ) );
279	}
280	}
281
282	/**
283	* Handle displaying a security warning.
284	*/
285	public function maybe_display_security_warning() {
286	if ( is_multisite() && current_user_can( 'manage_network' ) ) {
287	if ( ! function_exists( 'is_plugin_active_for_network' ) ) {
288	require_once ABSPATH . '/wp-admin/includes/plugin.php';
289	}
290
291	// This warning is only relevant if either Jetpack or Jetpack Protect is active.
292	if ( defined( 'JETPACK__PLUGIN_FILE' ) ) {
293	$plugin_root_file = JETPACK__PLUGIN_FILE;
294	} elseif ( defined( 'JETPACK_PROTECT_ROOT_FILE' ) ) {
295	$plugin_root_file = JETPACK_PROTECT_ROOT_FILE;
296	} else {
297	return;
298	}
299
300	if ( ! is_plugin_active_for_network( plugin_basename( $plugin_root_file ) ) ) {
301	add_action( 'load-index.php', array( $this, 'prepare_jetpack_protect_multisite_notice' ) );
302	add_action( 'wp_ajax_jetpack-protect-dismiss-multisite-banner', array( $this, 'ajax_dismiss_handler' ) );
303	}
304	}
305	}
306
307	/**
308	* Handles preparing the multisite notice.
309	*/
310	public function prepare_jetpack_protect_multisite_notice() {
311	$dismissed = get_site_option( 'jetpack_dismissed_protect_multisite_banner' );
312	if ( $dismissed ) {
313	return;
314	}
315
316	add_action( 'admin_notices', array( $this, 'admin_jetpack_manage_notice' ) );
317	}
318
319	/**
320	* Handle dismissing the multisite banner.
321	*/
322	public function ajax_dismiss_handler() {
323	check_ajax_referer( 'jetpack_protect_multisite_banner_opt_out' );
324
325	if ( ! current_user_can( 'manage_network' ) ) {
326	// @phan-suppress-next-line PhanTypeMismatchArgumentProbablyReal -- It takes null, but its phpdoc only says int.
327	wp_send_json_error( new WP_Error( 'insufficient_permissions' ), null, JSON_UNESCAPED_SLASHES );
328	}
329
330	update_site_option( 'jetpack_dismissed_protect_multisite_banner', true );
331
332	// @phan-suppress-next-line PhanTypeMismatchArgumentProbablyReal -- It takes null, but its phpdoc only says int.
333	wp_send_json_success( null, null, JSON_UNESCAPED_SLASHES );
334	}
335
336	/**
337	* Displays a warning about Brute Force Protection's network activation requirement.
338	* Attaches some custom JS to Core's `is-dismissible` UI to save the dismissed state.
339	*/
340	public function admin_jetpack_manage_notice() {
341	?>
342	<div class="jetpack-protect-warning notice notice-warning is-dismissible" data-dismiss-nonce="<?php echo esc_attr( wp_create_nonce( 'jetpack_protect_multisite_banner_opt_out' ) ); ?>">
343	<h2><?php esc_html_e( 'Brute Force Protection cannot keep your site secure', 'jetpack-waf' ); ?></h2>
344
345	<p>
346	<?php
347	printf(
348	/* Translators: placeholder is a plugin name (Jetpack Protect or Jetpack). */
349	esc_html__( 'Thanks for activating the Brute Force Protection feature! To start protecting your whole WordPress Multisite Network, please network activate the %1$s plugin. Due to the way logins are handled on WordPress Multisite Networks, %1$s must be network activated in order for the Brute Force Protection feature to work properly.', 'jetpack-waf' ),
350	defined( 'JETPACK_PROTECT_NAME' ) ? esc_html( JETPACK_PROTECT_NAME ) : 'Jetpack'
351	);
352	?>
353	</p>
354
355	<p>
356	<a class="button-primary" href="<?php echo esc_url( network_admin_url( 'plugins.php' ) ); ?>">
357	<?php esc_html_e( 'View Network Admin', 'jetpack-waf' ); ?>
358	</a>
359	<a class="button" href="<?php echo esc_url( __( 'https://jetpack.com/support/multisite-protect', 'jetpack-waf' ) ); ?>" target="_blank">
360	<?php esc_html_e( 'Learn More', 'jetpack-waf' ); ?>
361	</a>
362	</p>
363	</div>
364	<script>
365	jQuery( function( $ ) {
366	$( '.jetpack-protect-warning' ).on( 'click', 'button.notice-dismiss', function( event ) {
367	event.preventDefault();
368
369	wp.ajax.post(
370	'jetpack-protect-dismiss-multisite-banner',
371	{
372	_wpnonce: $( event.delegateTarget ).data( 'dismiss-nonce' ),
373	}
374	).fail( function( error ) {
375	<?php
376	// A failure here is really strange, and there's not really anything a site owner can do to fix one.
377	// Just log the error for now to help debugging.
378	?>
379
380	if ( 'function' === typeof error.done && '-1' === error.responseText ) {
381	console.error( 'Notice dismissal failed: check_ajax_referer' );
382	} else {
383	console.error( 'Notice dismissal failed: ' + JSON.stringify( error ) );
384	}
385	} )
386	} );
387	} );
388	</script>
389	<?php
390	}
391
392	/**
393	* Gets all plugins currently active in values, regardless of whether they're
394	* traditionally activated or network activated.
395	*
396	* Forked from Jetpack::get_active_plugins from the Jetpack plugin.
397	*
398	* @return string[]
399	*/
400	public static function get_active_plugins() {
401	$active_plugins = (array) get_option( 'active_plugins', array() );
402
403	if ( is_multisite() ) {
404	// Due to legacy code, active_sitewide_plugins stores them in the keys,
405	// whereas active_plugins stores them in the values.
406	$network_plugins = array_keys( get_site_option( 'active_sitewide_plugins', array() ) );
407	if ( $network_plugins ) {
408	$active_plugins = array_merge( $active_plugins, $network_plugins );
409	}
410	}
411
412	sort( $active_plugins );
413
414	return array_unique( $active_plugins );
415	}
416
417	/**
418	* Deactivate a plugin.
419	*
420	* @param string $probable_file Expected plugin file.
421	* @param string $probable_title Expected plugin title.
422	*
423	* @return void
424	*/
425	public static function deactivate_plugin( $probable_file, $probable_title ) {
426	include_once ABSPATH . 'wp-admin/includes/plugin.php';
427	if ( is_plugin_active( $probable_file ) ) {
428	deactivate_plugins( $probable_file );
429	} else {
430	// If the plugin is not in the usual place, try looking through all active plugins.
431	$active_plugins = get_option( 'active_plugins' );
432	foreach ( $active_plugins as $plugin ) {
433	$data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
434	if ( $data['Name'] === $probable_title ) {
435	deactivate_plugins( $plugin );
436	}
437	}
438	}
439	}
440
441	/**
442	* Request an api key from wordpress.com
443	*
444	* @return bool \| string
445	*/
446	public function get_protect_key() {
447
448	$protect_blog_id = self::get_main_blog_jetpack_id();
449
450	// If we can't find the the blog id, that means we are on multisite, and the main site never connected
451	// the protect api key is linked to the main blog id - instruct the user to connect their main blog.
452	if ( ! $protect_blog_id ) {
453	$this->api_key_error = __( 'Your main blog is not connected to WordPress.com. Please connect to get an API key.', 'jetpack-waf' );
454
455	return false;
456	}
457
458	$request = array(
459	'jetpack_blog_id' => $protect_blog_id,
460	'bruteprotect_api_key' => get_site_option( 'bruteprotect_api_key' ),
461	'multisite' => '0',
462	);
463
464	// Send the number of blogs on the network if we are on multisite.
465	if ( is_multisite() ) {
466	$request['multisite'] = get_blog_count();
467	if ( ! $request['multisite'] ) {
468	global $wpdb;
469	$request['multisite'] = $wpdb->get_var( "SELECT COUNT(blog_id) as c FROM $wpdb->blogs WHERE spam = '0' AND deleted = '0' and archived = '0'" ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
470	}
471	}
472
473	// Request the key.
474	$xml = new Jetpack_IXR_Client();
475	$xml->query( 'jetpack.protect.requestKey', $request );
476
477	// Hmm, can't talk to wordpress.com.
478	if ( $xml->isError() ) {
479	$code = $xml->getErrorCode();
480	$message = $xml->getErrorMessage();
481	// Translators: The xml error code, and the xml error message.
482	$this->api_key_error = sprintf( __( 'Error connecting to WordPress.com. Code: %1$s, %2$s', 'jetpack-waf' ), $code, $message );
483
484	return false;
485	}
486
487	$response = $xml->getResponse();
488
489	// Hmm, can't talk to the protect servers ( api.bruteprotect.com ).
490	if ( ! isset( $response['data'] ) ) {
491	$this->api_key_error = __( 'No reply from Jetpack servers', 'jetpack-waf' );
492
493	return false;
494	}
495
496	// There was an issue generating the key.
497	if ( empty( $response['success'] ) ) {
498	$this->api_key_error = $response['data'];
499
500	return false;
501	}
502
503	// Key generation successful!
504	$active_plugins = self::get_active_plugins();
505
506	// We only want to deactivate BruteProtect if we successfully get a key.
507	if ( in_array( 'bruteprotect/bruteprotect.php', $active_plugins, true ) ) {
508	self::deactivate_plugin( 'bruteprotect/bruteprotect.php', 'BruteProtect' );
509	}
510
511	$key = $response['data'];
512	update_site_option( 'jetpack_protect_key', $key );
513
514	return $key;
515	}
516
517	/**
518	* Called via WP action wp_login_failed to log failed attempt with the api
519	*
520	* Fires custom, plugable action jpp_log_failed_attempt with the IP
521	*
522	* @param string\|null $username - The username or email address attempting to log in.
523	* @param \WP_Error\|string\|null $error - A WP_Error object or error message with the authentication failure details.
524	*
525	* @return void
526	*/
527	public function log_failed_attempt( $username, $error = null ) {
528	$username = $username ?? '';
529
530	// Skip if Account protection password validation error.
531	if ( is_object( $error ) && isset( $error->errors['password_detection_validation_error'] ) ) {
532	return;
533	}
534
535	/**
536	* Fires before every failed login attempt.
537	*
538	* @module protect
539	*
540	* @since 3.4.0
541	*
542	* @param array Information about failed login attempt
543	* [
544	* 'login' => (string) Username or email used in failed login attempt
545	* ]
546	*/
547	do_action( 'jpp_log_failed_attempt', array( 'login' => $username ) );
548
549	if ( isset( $_COOKIE['jpp_math_pass'] ) ) {
550
551	$transient = $this->get_transient( 'jpp_math_pass_' . sanitize_key( $_COOKIE['jpp_math_pass'] ) );
552	if ( is_int( $transient ) ) {
553	--$transient;
554	}
555
556	if ( ! is_int( $transient ) \|\| $transient < 1 ) {
557	$this->delete_transient( 'jpp_math_pass_' . sanitize_key( $_COOKIE['jpp_math_pass'] ) );
558	// This is a cop out for the tests on some PHP versions
559	if ( ! headers_sent() ) {
560	setcookie( 'jpp_math_pass', '0', time() - DAY_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN, false, true );
561	}
562	} else {
563	$this->set_transient( 'jpp_math_pass_' . sanitize_key( $_COOKIE['jpp_math_pass'] ), $transient, DAY_IN_SECONDS );
564	}
565	}
566	$this->protect_call( 'failed_attempt' );
567	}
568
569	/**
570	* Set up the Brute Force Protection configuration page
571	*/
572	public function modules_loaded() {
573	add_filter( 'jetpack_module_configurable_protect', '__return_true' );
574	}
575
576	/**
577	* Logs a successful login back to our servers, this allows us to make sure we're not blocking
578	* a busy IP that has a lot of good logins along with some forgotten passwords. Also saves current user's ip
579	* to the ip address allow list
580	*
581	* @param string $user_login - the user logging in.
582	* @param \WP_User $user - the user.
583	*/
584	public function log_successful_login( $user_login, $user = null ) {
585	if ( ! $user ) { // For do_action( 'wp_login' ) calls that lacked passing the 2nd arg.
586	$user = get_user_by( 'login', $user_login );
587	}
588
589	$this->protect_call( 'successful_login', array( 'roles' => $user->roles ) );
590	}
591
592	/**
593	* Checks for loginability BEFORE authentication so that bots don't get to go around the log in form.
594	*
595	* If we are using our math fallback, authenticate via math-fallback.php
596	*
597	* @param string $user - the user.
598	* @param string $username - the username.
599	* @param string $password - the password.
600	*
601	* @return string $user
602	*/
603	public function check_preauth( $user = 'Not Used By Protect', $username = 'Not Used By Protect', $password = 'Not Used By Protect' ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
604	$allow_login = $this->check_login_ability( true );
605	$use_math = $this->get_transient( 'brute_use_math' );
606
607	if ( ! $allow_login ) {
608	$this->block_with_math();
609	}
610
611	if ( ( 1 == $use_math \|\| 1 == $this->block_login_with_math ) && isset( $_POST['log'] ) ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual, WordPress.Security.NonceVerification.Missing -- POST request just determines if we use math authentication.
612
613	Brute_Force_Protection_Math_Authenticate::math_authenticate();
614	}
615
616	return $user;
617	}
618
619	/**
620	* Get all IP headers so that we can process on our server...
621	*
622	* @return array
623	*/
624	public function get_headers() {
625	$output = array();
626	$ip_related_headers = array(
627	'GD_PHP_HANDLER',
628	'HTTP_AKAMAI_ORIGIN_HOP',
629	'HTTP_CF_CONNECTING_IP',
630	'HTTP_CLIENT_IP',
631	'HTTP_FASTLY_CLIENT_IP',
632	'HTTP_FORWARDED',
633	'HTTP_FORWARDED_FOR',
634	'HTTP_INCAP_CLIENT_IP',
635	'HTTP_TRUE_CLIENT_IP',
636	'HTTP_X_CLIENTIP',
637	'HTTP_X_CLUSTER_CLIENT_IP',
638	'HTTP_X_FORWARDED',
639	'HTTP_X_FORWARDED_FOR',
640	'HTTP_X_IP_TRAIL',
641	'HTTP_X_REAL_IP',
642	'HTTP_X_VARNISH',
643	'REMOTE_ADDR',
644	);
645
646	foreach ( $ip_related_headers as $header ) {
647	if ( ! empty( $_SERVER[ $header ] ) ) {
648	$output[ $header ] = wp_unslash( $_SERVER[ $header ] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
649	}
650	}
651
652	return $output;
653	}
654
655	/**
656	* Whether or not the IP allow list is enabled.
657	*
658	* @return bool
659	*/
660	public static function ip_allow_list_enabled() {
661	return get_option( Waf_Rules_Manager::IP_ALLOW_LIST_ENABLED_OPTION_NAME, true );
662	}
663
664	/**
665	* Checks if the IP address is in the allow list.
666	*
667	* @deprecated 0.11.0 Use ip_is_allowed()
668	*
669	* @param string $ip - the IP address.
670	*/
671	public static function ip_is_whitelisted( $ip ) {
672	_deprecated_function( __METHOD__, 'waf-0.11.0', __CLASS__ . '::ip_is_allowed' );
673	return self::ip_is_allowed( $ip );
674	}
675
676	/**
677	* Checks if the IP address is in the allow list.
678	*
679	* @param string $ip - the IP address.
680	*
681	* @return bool
682	*/
683	public function ip_is_allowed( $ip ) {
684	// If we found an exact match in wp-config.
685	if ( defined( 'JETPACK_IP_ADDRESS_OK' ) && JETPACK_IP_ADDRESS_OK === $ip ) {
686	return true;
687	}
688
689	// Allow list must be enabled.
690	if ( ! $this->ip_allow_list_enabled() ) {
691	return false;
692	}
693
694	$allow_list = Brute_Force_Protection_Shared_Functions::get_local_allow_list();
695
696	if ( is_multisite() ) {
697	$allow_list = array_merge( $allow_list, get_site_option( 'jetpack_protect_global_whitelist', array() ) );
698	}
699
700	if ( ! empty( $allow_list ) ) :
701	foreach ( $allow_list as $item ) :
702	// If the IPs are an exact match.
703	if ( ! $item->range && isset( $item->ip_address ) && $item->ip_address === $ip ) {
704	return true;
705	}
706
707	if ( $item->range && isset( $item->range_low ) && isset( $item->range_high ) ) {
708	if ( IP_Utils::ip_address_is_in_range( $ip, $item->range_low, $item->range_high ) ) {
709	return true;
710	}
711	}
712	endforeach;
713	endif;
714
715	return false;
716	}
717
718	/**
719	* Checks the status for a given IP. API results are cached as transients
720	*
721	* @param bool $preauth - Whether or not we are checking prior to authorization.
722	*
723	* @return bool Either returns true, fires $this->kill_login, or includes a math fallback and returns false
724	*/
725	public function check_login_ability( $preauth = false ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
726
727	/**
728	* JETPACK_ALWAYS_PROTECT_LOGIN will always disable the login page, and use a page provided by Jetpack.
729	*/
730	if ( Constants::is_true( 'JETPACK_ALWAYS_PROTECT_LOGIN' ) ) {
731	$this->kill_login();
732	}
733
734	if ( $this->is_current_ip_allowed() ) {
735	return true;
736	}
737
738	$status = $this->get_cached_status();
739
740	if ( empty( $status ) ) {
741	// If we've reached this point, this means that the IP isn't cached.
742	// Now we check with the Protect API to see if we should allow login.
743	$response = $this->protect_call( $action = 'check_ip' ); // phpcs:ignore Squiz.PHP.DisallowMultipleAssignments.Found
744
745	if ( isset( $response['math'] ) && ! function_exists( 'brute_math_authenticate' ) ) {
746	new Brute_Force_Protection_Math_Authenticate();
747
748	return false;
749	}
750
751	$status = $response['status'];
752	}
753
754	if ( 'blocked' === $status ) {
755	$this->block_with_math();
756	}
757
758	if ( 'blocked-hard' === $status ) {
759	$this->kill_login();
760	}
761
762	return true;
763	}
764
765	/**
766	* Check if the user's IP is in the allow list.
767	*
768	* @deprecated 0.11.0 Use is_current_ip_allowed()
769	*/
770	public static function is_current_ip_whitelisted() {
771	_deprecated_function( __METHOD__, 'waf-0.11.0', __CLASS__ . '::is_current_ip_allowed' );
772	return self::is_current_ip_allowed();
773	}
774
775	/**
776	* Check if the user's IP is in the allow list.
777	*/
778	public function is_current_ip_allowed() {
779	$ip = IP_Utils::get_ip();
780
781	// Server is misconfigured and we can't get an IP.
782	if ( ! $ip ) {
783	self::disable();
784	ob_start();
785	( new CookieState() )->state( 'message', 'protect_misconfigured_ip' );
786	ob_end_clean();
787	return true;
788	}
789
790	/**
791	* Short-circuit check_login_ability.
792	*
793	* If there is an alternate way to validate the current IP such as
794	* a hard-coded list of IP addresses, we can short-circuit the rest
795	* of the login ability checks and return true here.
796	*
797	* @module protect
798	*
799	* @since 4.4.0
800	*
801	* @param bool false Should we allow all logins for the current ip? Default: false
802	*/
803	if ( apply_filters( 'jpp_allow_login', false, $ip ) ) {
804	return true;
805	}
806
807	if ( IP_Utils::ip_is_private( $ip ) ) {
808	return true;
809	}
810
811	if ( $this->ip_is_allowed( $ip ) ) {
812	return true;
813	}
814	}
815
816	/**
817	* Check if someone is able to login based on IP.
818	*/
819	public function has_login_ability() {
820	if ( $this->is_current_ip_allowed() ) {
821	return true;
822	}
823	$status = $this->get_cached_status();
824	if ( empty( $status ) \|\| 'ok' === $status ) {
825	return true;
826	}
827	return false;
828	}
829
830	/**
831	* Check the status of the cached transient.
832	*/
833	public function get_cached_status() {
834	$transient_name = $this->get_transient_name();
835	$value = $this->get_transient( $transient_name );
836	if ( isset( $value['status'] ) ) {
837	return $value['status'];
838	}
839	return '';
840	}
841
842	/**
843	* Check if we need to block with a math question to continue logging in.
844	*/
845	public function block_with_math() {
846	/**
847	* By default, Protect will allow a user who has been blocked for too
848	* many failed logins to start answering math questions to continue logging in
849	*
850	* For added security, you can disable this.
851	*
852	* @module protect
853	*
854	* @since 3.6.0
855	*
856	* @param bool Whether to allow math for blocked users or not.
857	*/
858
859	$this->block_login_with_math = 1;
860	/**
861	* Allow Math fallback for blocked IPs.
862	*
863	* @module protect
864	*
865	* @since 3.6.0
866	*
867	* @param bool true Should we fallback to the Math questions when an IP is blocked. Default to true.
868	*/
869	$allow_math_fallback_on_fail = apply_filters( 'jpp_use_captcha_when_blocked', true );
870	if ( ! $allow_math_fallback_on_fail ) {
871	$this->kill_login();
872	}
873
874	new Brute_Force_Protection_Math_Authenticate();
875
876	return false;
877	}
878
879	/**
880	* Kill a login attempt
881	*/
882	public function kill_login() {
883	if (
884	isset( $_GET['action'] ) && isset( $_GET['_wpnonce'] ) &&
885	'logout' === $_GET['action'] &&
886	wp_verify_nonce( $_GET['_wpnonce'], 'log-out' ) && // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
887	wp_get_current_user()
888
889	) {
890	// Allow users to logout.
891	return;
892	}
893
894	$ip = IP_Utils::get_ip();
895	/**
896	* Fires before every killed login.
897	*
898	* @module protect
899	*
900	* @since 3.4.0
901	*
902	* @param string $ip IP flagged by Protect.
903	*/
904	do_action( 'jpp_kill_login', $ip );
905
906	if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
907	// translators: variable is the IP address that was flagged.
908	$die_string = sprintf( __( 'Your IP (%1$s) has been flagged for potential security violations.', 'jetpack-waf' ), str_replace( 'http://', '', esc_url( 'http://' . $ip ) ) );
909	wp_die(
910	$die_string, // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- esc_url used when forming string.
911	esc_html__( 'Login Blocked by Jetpack', 'jetpack-waf' ),
912	array( 'response' => 403 )
913	);
914	}
915
916	$blocked_login_page = Brute_Force_Protection_Blocked_Login_Page::instance( $ip );
917
918	if ( $blocked_login_page->is_blocked_user_valid() ) {
919	return;
920	}
921
922	$blocked_login_page->render_and_die();
923	}
924
925	/**
926	* Checks if the protect API call has failed, and if so initiates the math captcha fallback.
927	*/
928	public function check_use_math() {
929	$use_math = $this->get_transient( 'brute_use_math' );
930	if ( $use_math ) {
931	new Brute_Force_Protection_Math_Authenticate();
932	}
933	}
934
935	/**
936	* If we're in a multisite network, return the blog ID of the primary blog
937	*
938	* @return int
939	*/
940	public function get_main_blog_id() {
941	if ( ! is_multisite() ) {
942	return false;
943	}
944
945	global $current_site;
946	$primary_blog_id = $current_site->blog_id;
947
948	return $primary_blog_id;
949	}
950
951	/**
952	* Get jetpack blog id, or the jetpack blog id of the main blog in the main network
953	*
954	* @return int
955	*/
956	public function get_main_blog_jetpack_id() {
957	if ( ! is_main_site() ) {
958	switch_to_blog( $this->get_main_blog_id() );
959	$id = Jetpack_Options::get_option( 'id', false );
960	restore_current_blog();
961	} else {
962	$id = Jetpack_Options::get_option( 'id' );
963	}
964
965	return $id;
966	}
967
968	/**
969	* Checks the API key.
970	*/
971	public function check_api_key() {
972	$response = $this->protect_call( 'check_key' );
973
974	if ( isset( $response['ckval'] ) ) {
975	return true;
976	}
977
978	if ( isset( $response['error'] ) ) {
979
980	if ( 'Invalid API Key' === $response['error'] ) {
981	$this->api_key_error = __( 'Your API key is invalid', 'jetpack-waf' );
982	}
983
984	if ( 'API Key Required' === $response['error'] ) {
985	$this->api_key_error = __( 'No API key', 'jetpack-waf' );
986	}
987	}
988
989	$this->api_key_error = __( 'There was an error contacting Jetpack servers.', 'jetpack-waf' );
990
991	return false;
992	}
993
994	/**
995	* Calls over to the api using wp_remote_post
996	*
997	* @param string $action - 'check_ip', 'check_key', or 'failed_attempt'.
998	* @param array $request - Any custom data to post to the api.
999	*
1000	* @return array
1001	*/
1002	public function protect_call( $action = 'check_ip', $request = array() ) {
1003	global $wp_version;
1004
1005	$api_key = $this->maybe_get_protect_key();
1006
1007	$user_agent = "WordPress/{$wp_version}";
1008
1009	$request['action'] = $action;
1010	$request['ip'] = IP_Utils::get_ip();
1011	$request['host'] = $this->get_local_host();
1012	$request['headers'] = wp_json_encode( $this->get_headers(), JSON_UNESCAPED_SLASHES );
1013	$request['jetpack_version'] = null;
1014	$request['wordpress_version'] = (string) $wp_version;
1015	$request['api_key'] = $api_key;
1016	$request['multisite'] = '0';
1017
1018	if ( defined( 'JETPACK__VERSION' ) ) {
1019	$request['jetpack_version'] = constant( 'JETPACK__VERSION' );
1020	$user_agent .= ' \| Jetpack/' . constant( 'JETPACK__VERSION' );
1021	}
1022
1023	if ( defined( 'JETPACK_PROTECT_VERSION' ) && ! defined( 'JETPACK__VERSION' ) ) {
1024	$request['jetpack_version'] = '12.1';
1025	$user_agent .= ' \| JetpackProtect/' . constant( 'JETPACK_PROTECT_VERSION' );
1026	}
1027
1028	if ( is_multisite() ) {
1029	$request['multisite'] = get_blog_count();
1030	}
1031
1032	/**
1033	* Filter controls maximum timeout in waiting for reponse from Protect servers.
1034	*
1035	* @module protect
1036	*
1037	* @since 4.0.4
1038	*
1039	* @param int $timeout Max time (in seconds) to wait for a response.
1040	*/
1041	$timeout = apply_filters( 'jetpack_protect_connect_timeout', 30 );
1042
1043	$args = array(
1044	'body' => $request,
1045	'user-agent' => $user_agent,
1046	'httpversion' => '1.0',
1047	'timeout' => absint( $timeout ),
1048	);
1049
1050	Waf_Constants::define_brute_force_api_host();
1051
1052	$response_json = wp_remote_post( JETPACK_PROTECT__API_HOST, $args );
1053	$this->last_response_raw = $response_json;
1054
1055	$transient_name = $this->get_transient_name();
1056	$this->delete_transient( $transient_name );
1057
1058	if ( is_array( $response_json ) ) {
1059	$response = json_decode( $response_json['body'], true );
1060	}
1061
1062	if ( isset( $response['blocked_attempts'] ) && $response['blocked_attempts'] ) {
1063	update_site_option( 'jetpack_protect_blocked_attempts', $response['blocked_attempts'] );
1064	}
1065
1066	if ( isset( $response['status'] ) && ! isset( $response['error'] ) ) {
1067	$response['expire'] = time() + $response['seconds_remaining'];
1068	$this->set_transient( $transient_name, $response, $response['seconds_remaining'] );
1069	$this->delete_transient( 'brute_use_math' );
1070	} else { // Fallback to Math Captcha if no response from API host.
1071	$this->set_transient( 'brute_use_math', 1, 600 );
1072	$response['status'] = 'ok';
1073	$response['math'] = true;
1074	}
1075
1076	if ( isset( $response['error'] ) ) {
1077	update_site_option( 'jetpack_protect_error', $response['error'] );
1078	} else {
1079	delete_site_option( 'jetpack_protect_error' );
1080	}
1081
1082	return $response;
1083	}
1084
1085	/**
1086	* Gets the transient name.
1087	*/
1088	public function get_transient_name() {
1089	$headers = $this->get_headers();
1090	$header_hash = md5( wp_json_encode( $headers, JSON_UNESCAPED_SLASHES ) );
1091
1092	return 'jpp_li_' . $header_hash;
1093	}
1094
1095	/**
1096	* Wrapper for WordPress set_transient function, our version sets
1097	* the transient on the main site in the network if this is a multisite network
1098	*
1099	* We do it this way (instead of set_site_transient) because of an issue where
1100	* sitewide transients are always autoloaded
1101	* https://core.trac.wordpress.org/ticket/22846
1102	*
1103	* @param string $transient Transient name. Expected to not be SQL-escaped. Must be
1104	* 45 characters or fewer in length.
1105	* @param mixed $value Transient value. Must be serializable if non-scalar.
1106	* Expected to not be SQL-escaped.
1107	* @param int $expiration Optional. Time until expiration in seconds. Default 0.
1108	*
1109	* @return bool False if value was not set and true if value was set.
1110	*/
1111	public function set_transient( $transient, $value, $expiration ) {
1112	if ( is_multisite() && ! is_main_site() ) {
1113	switch_to_blog( $this->get_main_blog_id() );
1114	$return = set_transient( $transient, $value, $expiration );
1115	restore_current_blog();
1116
1117	return $return;
1118	}
1119
1120	return set_transient( $transient, $value, $expiration );
1121	}
1122
1123	/**
1124	* Wrapper for WordPress delete_transient function, our version deletes
1125	* the transient on the main site in the network if this is a multisite network
1126	*
1127	* @param string $transient Transient name. Expected to not be SQL-escaped.
1128	*
1129	* @return bool true if successful, false otherwise
1130	*/
1131	public function delete_transient( $transient ) {
1132	if ( is_multisite() && ! is_main_site() ) {
1133	switch_to_blog( $this->get_main_blog_id() );
1134	$return = delete_transient( $transient );
1135	restore_current_blog();
1136
1137	return $return;
1138	}
1139
1140	return delete_transient( $transient );
1141	}
1142
1143	/**
1144	* Wrapper for WordPress get_transient function, our version gets
1145	* the transient on the main site in the network if this is a multisite network
1146	*
1147	* @param string $transient Transient name. Expected to not be SQL-escaped.
1148	*
1149	* @return mixed Value of transient.
1150	*/
1151	public function get_transient( $transient ) {
1152	if ( is_multisite() && ! is_main_site() ) {
1153	switch_to_blog( $this->get_main_blog_id() );
1154	$return = get_transient( $transient );
1155	restore_current_blog();
1156
1157	return $return;
1158	}
1159
1160	return get_transient( $transient );
1161	}
1162
1163	/**
1164	* Returns the local host.
1165	*/
1166	public function get_local_host() {
1167	if ( isset( $this->local_host ) ) {
1168	return $this->local_host;
1169	}
1170
1171	$uri = 'http://' . strtolower( isset( $_SERVER['HTTP_HOST'] ) ? filter_var( wp_unslash( $_SERVER['HTTP_HOST'] ) ) : '' );
1172
1173	if ( is_multisite() ) {
1174	$uri = network_home_url();
1175	}
1176
1177	$domain = '';
1178	$uridata = wp_parse_url( $uri );
1179	if ( false !== $uridata ) {
1180	$domain = $uridata['host'];
1181	}
1182
1183	// If we still don't have the site_url, get it.
1184	if ( ! $domain ) {
1185	$uri = get_site_url( 1 );
1186	$uridata = wp_parse_url( $uri );
1187	$domain = $uridata['host'];
1188	}
1189
1190	$this->local_host = $domain;
1191
1192	return $this->local_host;
1193	}
1194	}