Protect from race conditions

bindlegirl · bindlegirl · commit aa3e166d4244 · 2025-10-27T18:26:12.000+01:00
diff --git a/projects/plugins/wpcomsh/connection/class-atomic-storage-provider.php b/projects/plugins/wpcomsh/connection/class-atomic-storage-provider.php
@@ -67,7 +67,7 @@ public function get( $option_name ) {
 						return null;
 					}
 					$tokens = $this->get_user_tokens( $email, $secret );
-					return $tokens ? $tokens : null;
+					return ( is_array( $tokens ) && ! empty( $tokens ) ) ? $tokens : null;
 			}
 
 			return null;
@@ -107,65 +107,107 @@ public function get_master_user_id( $email ) {
 		}
 
 		/**
-		 * Validates user tokens and removes conflicting tokens.
+		 * Remove conflicting tokens for a given normalized token and user.
 		 *
-		 * Removes any tokens that:
-		 * 1. Belong to the current user but don't match the external storage token
-		 * 2. Have the same secret as external storage but belong to a different user (orphaned tokens)
+		 * Conflicts are:
+		 * - Current user has a different token string than normalized token
+		 * - Any other user has a token sharing the same secret prefix
 		 *
 		 * @since $$next-version$$
 		 *
-		 * @param string $normalized_token The normalized token from external storage (token_key.secret.user_id).
-		 * @param array  $existing_tokens The existing tokens from the database.
-		 * @param int    $user_id The user ID to validate tokens for.
-		 * @return array The tokens array with conflicting tokens removed.
+		 * @param array  $tokens           Tokens array keyed by user ID.
+		 * @param string $normalized_token Normalized token (token_key.secret.user_id).
+		 * @param int    $user_id          Local user ID for whom the token applies.
+		 * @return array { Updated tokens and whether any conflicts were removed }
+		 * @phpstan-return array{ tokens: array, had_conflicts: bool }
 		 */
-		private function validate_user_tokens( $normalized_token, $existing_tokens, $user_id ) {
-			$has_conflicts = false;
+		private function remove_conflicting_tokens( $tokens, $normalized_token, $user_id ) {
+			$had_conflicts = false;
 			$last_dot_pos  = strrpos( $normalized_token, '.' );
 
-			// Validate token format - it must contain a dot to separate secret from user_id
+			// Validate token format - must contain a dot to separate secret from user_id.
 			if ( false === $last_dot_pos ) {
 				// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
-				error_log( "Invalid token format in validate_user_tokens: '{$normalized_token}'" );
-				return $existing_tokens;
+				error_log( "Invalid token format in remove_conflicting_tokens: '{$normalized_token}'" );
+				return array(
+					'tokens'        => $tokens,
+					'had_conflicts' => false,
+				);
 			}
 
 			$secret_prefix = substr( $normalized_token, 0, $last_dot_pos );
 
-			// Check if current user has a mismatched token
-			if ( isset( $existing_tokens[ $user_id ] )
-				&& is_string( $existing_tokens[ $user_id ] )
-				&& ! hash_equals( $normalized_token, $existing_tokens[ $user_id ] ) ) {
+			// Remove mismatched token for the current user.
+			if ( isset( $tokens[ $user_id ] )
+			&& is_string( $tokens[ $user_id ] )
+			&& ! hash_equals( $normalized_token, $tokens[ $user_id ] ) ) {
 				// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 				error_log( "Removing conflicting token for user {$user_id}" );
-				unset( $existing_tokens[ $user_id ] );
-				$has_conflicts = true;
+				unset( $tokens[ $user_id ] );
+				$had_conflicts = true;
 			}
 
-			// Check if any other user has a token with the same secret (orphaned token from previous owner)
-			foreach ( $existing_tokens as $token_user_id => $token ) {
-				if ( $token_user_id !== $user_id && strpos( $token, $secret_prefix . '.' ) === 0 ) {
+			// Remove orphaned tokens (same secret, different user).
+			foreach ( $tokens as $token_user_id => $token ) {
+				if ( is_string( $token ) && (int) $token_user_id !== $user_id && strpos( $token, $secret_prefix . '.' ) === 0 ) {
 					// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 					error_log( "Removing orphaned token with same secret for user {$token_user_id}" );
-					unset( $existing_tokens[ $token_user_id ] );
-					$has_conflicts = true;
+					unset( $tokens[ $token_user_id ] );
+					$had_conflicts = true;
 				}
 			}
 
+			return array(
+				'tokens'        => $tokens,
+				'had_conflicts' => $had_conflicts,
+			);
+		}
+
+		/**
+		 * Validates user tokens and removes conflicting tokens.
+		 *
+		 * Removes any tokens that:
+		 * 1. Belong to the current user but don't match the external storage token
+		 * 2. Have the same secret as external storage but belong to a different user (orphaned tokens)
+		 *
+		 * Re-reads the latest state before persisting to minimize race condition window.
+		 *
+		 * @since $$next-version$$
+		 *
+		 * @param string $normalized_token The normalized token from external storage (token_key.secret.user_id).
+		 * @param array  $existing_tokens The existing tokens from the database.
+		 * @param int    $user_id The user ID to validate tokens for.
+		 * @return array The tokens array with conflicting tokens removed.
+		 */
+		private function validate_user_tokens( $normalized_token, $existing_tokens, $user_id ) {
+			$result        = $this->remove_conflicting_tokens( $existing_tokens, $normalized_token, $user_id );
+			$has_conflicts = $result['had_conflicts'];
+
 			// Only persist changes if conflicts were found
 			if ( $has_conflicts ) {
-				// Persist the change to the database to prevent repeated error logging
-				$private_options                = \Jetpack_Options::get_raw_option( 'jetpack_private_options', array() );
-				$private_options['user_tokens'] = $existing_tokens;
-				update_option( 'jetpack_private_options', $private_options );
+				// Re-read latest state right before writing to minimize race window
+				$latest_options = \Jetpack_Options::get_raw_option( 'jetpack_private_options', array() );
+				$latest_tokens  = isset( $latest_options['user_tokens'] ) && is_array( $latest_options['user_tokens'] )
+				? $latest_options['user_tokens']
+				: array();
+
+				// Re-apply cleanup to latest tokens (might find no conflicts now if state changed)
+				$latest_result = $this->remove_conflicting_tokens( $latest_tokens, $normalized_token, $user_id );
+
+				// Write the cleaned latest state
+				$latest_options['user_tokens'] = $latest_result['tokens'];
+				\Jetpack_Options::update_raw_option( 'jetpack_private_options', $latest_options, false );
 
 				// Also clear master_user from database since connection owner data has changed
 				// External storage will provide the correct value on next read
 				\Jetpack_Options::delete_option( 'master_user' );
+
+				// Return what we actually wrote to the database
+				return $latest_result['tokens'];
 			}
 
-			return $existing_tokens;
+			// No conflicts, return cleaned tokens
+			return $result['tokens'];
 		}
 
 		/**
diff --git a/projects/plugins/wpcomsh/tests/AtomicStorageProviderTest.php b/projects/plugins/wpcomsh/tests/AtomicStorageProviderTest.php
@@ -164,4 +164,156 @@ public function test_get_user_tokens_existing_matching() {
 		);
 		$this->assertSame( $expected, $result );
 	}
+
+	/**
+	 * Test get_user_tokens removes conflicting token for current user.
+	 */
+	public function test_get_user_tokens_removes_conflicting_token() {
+		$user_id = static::factory()->user->create( array( 'user_email' => 'owner@example.com' ) );
+
+		// Set existing token with different secret for same user
+		$existing_tokens = array(
+			$user_id => 'old.secret.' . $user_id,
+		);
+		update_option( 'jetpack_private_options', array( 'user_tokens' => $existing_tokens ) );
+
+		// Call with new secret
+		$result = $this->provider->get_user_tokens( 'owner@example.com', 'new.secret' );
+
+		// Should have removed old token and added new one
+		$expected = array(
+			$user_id => 'new.secret.' . $user_id,
+		);
+		$this->assertSame( $expected, $result );
+
+		// Verify it was persisted to database
+		$private_options = get_option( 'jetpack_private_options' );
+		$this->assertSame( $expected, $private_options['user_tokens'] );
+	}
+
+	/**
+	 * Test get_user_tokens removes orphaned tokens with same secret.
+	 */
+	public function test_get_user_tokens_removes_orphaned_tokens() {
+		$old_owner_id  = static::factory()->user->create( array( 'user_email' => 'old@example.com' ) );
+		$new_owner_id  = static::factory()->user->create( array( 'user_email' => 'new@example.com' ) );
+		$other_user_id = static::factory()->user->create( array( 'user_email' => 'other@example.com' ) );
+
+		// Old owner had this secret, now new owner has same secret
+		$existing_tokens = array(
+			$old_owner_id  => 'shared.secret.' . $old_owner_id,
+			$other_user_id => 'different.secret.' . $other_user_id,
+		);
+		update_option( 'jetpack_private_options', array( 'user_tokens' => $existing_tokens ) );
+
+		// New owner connecting with same secret prefix
+		$result = $this->provider->get_user_tokens( 'new@example.com', 'shared.secret' );
+
+		// Should remove old owner's token (same secret) but keep other user's token
+		$expected = array(
+			$new_owner_id  => 'shared.secret.' . $new_owner_id,
+			$other_user_id => 'different.secret.' . $other_user_id,
+		);
+		$this->assertSame( $expected, $result );
+	}
+
+	/**
+	 * Test provider get('user_tokens') returns null when email missing.
+	 */
+	public function test_get_user_tokens_via_provider_returns_null_when_email_missing() {
+		\Atomic_Persistent_Data::delete( 'JETPACK_CONNECTION_OWNER_EMAIL' );
+		\Atomic_Persistent_Data::set( 'JETPACK_CONNECTION_OWNER_TOKEN_SECRET', 'token.secret' );
+
+		$this->assertNull( $this->provider->get( 'user_tokens' ) );
+	}
+
+	/**
+	 * Test provider get('user_tokens') returns null when secret missing.
+	 */
+	public function test_get_user_tokens_via_provider_returns_null_when_secret_missing() {
+		\Atomic_Persistent_Data::set( 'JETPACK_CONNECTION_OWNER_EMAIL', 'owner@example.com' );
+		\Atomic_Persistent_Data::delete( 'JETPACK_CONNECTION_OWNER_TOKEN_SECRET' );
+
+		$this->assertNull( $this->provider->get( 'user_tokens' ) );
+	}
+
+	/**
+	 * Test provider get('user_tokens') returns null when get_user_tokens returns false.
+	 */
+	public function test_get_user_tokens_via_provider_returns_null_for_invalid_user() {
+		\Atomic_Persistent_Data::set( 'JETPACK_CONNECTION_OWNER_EMAIL', 'nonexistent@example.com' );
+		\Atomic_Persistent_Data::set( 'JETPACK_CONNECTION_OWNER_TOKEN_SECRET', 'token.secret' );
+
+		$this->assertNull( $this->provider->get( 'user_tokens' ) );
+	}
+
+	/**
+	 * Test provider get('user_tokens') returns array when valid.
+	 */
+	public function test_get_user_tokens_via_provider_returns_array_when_valid() {
+		$user_id = static::factory()->user->create( array( 'user_email' => 'owner@example.com' ) );
+		\Atomic_Persistent_Data::set( 'JETPACK_CONNECTION_OWNER_EMAIL', 'owner@example.com' );
+		\Atomic_Persistent_Data::set( 'JETPACK_CONNECTION_OWNER_TOKEN_SECRET', 'token.secret' );
+
+		$result = $this->provider->get( 'user_tokens' );
+
+		$this->assertIsArray( $result );
+		$this->assertArrayHasKey( $user_id, $result );
+		$this->assertSame( 'token.secret.' . $user_id, $result[ $user_id ] );
+	}
+
+	/**
+	 * Test validate_user_tokens re-reads latest state before persisting.
+	 */
+	public function test_validate_user_tokens_rereads_before_write() {
+		$user_id = static::factory()->user->create( array( 'user_email' => 'owner@example.com' ) );
+
+		// Initial state: old owner token
+		$initial_tokens = array(
+			$user_id => 'old.secret.' . $user_id,
+		);
+		update_option( 'jetpack_private_options', array( 'user_tokens' => $initial_tokens ) );
+
+		// Simulate: After reading but before validate_user_tokens persists, another user connects
+		// We can't truly test the race condition without threading, but we can verify
+		// that get_user_tokens returns the expected result
+
+		$result = $this->provider->get_user_tokens( 'owner@example.com', 'new.secret' );
+
+		// Should have new owner token
+		$this->assertArrayHasKey( $user_id, $result );
+		$this->assertSame( 'new.secret.' . $user_id, $result[ $user_id ] );
+	}
+
+	/**
+	 * Test get('blog_token') returns null when empty.
+	 */
+	public function test_get_blog_token_returns_null_when_empty() {
+		\Atomic_Persistent_Data::delete( 'JETPACK_BLOG_TOKEN' );
+		$this->assertNull( $this->provider->get( 'blog_token' ) );
+	}
+
+	/**
+	 * Test get('blog_token') returns token when set.
+	 */
+	public function test_get_blog_token_returns_token_when_set() {
+		\Atomic_Persistent_Data::set( 'JETPACK_BLOG_TOKEN', 'blog.token.value' );
+		$this->assertSame( 'blog.token.value', $this->provider->get( 'blog_token' ) );
+	}
+
+	/**
+	 * Test get('id') returns null when empty.
+	 */
+	public function test_get_id_returns_null_when_empty() {
+		\Atomic_Persistent_Data::delete( 'JETPACK_BLOG_ID' );
+		$this->assertNull( $this->provider->get( 'id' ) );
+	}
+
+	/**
+	 * Test get('id') returns int when set.
+	 */
+	public function test_get_id_returns_int_when_set() {
+		\Atomic_Persistent_Data::set( 'JETPACK_BLOG_ID', '12345' );
+		$this->assertSame( 12345, $this->provider->get( 'id' ) );
+	}
 }
