Connection: allow provisioning using an application password (#40447)

Modify permission check for `/jetpack/v4/remote_provision` endpoint to allow application passwords.

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/12186994851

Upstream-Ref: Automattic/jetpack@5baf0a9

composer.json

@@ -7,7 +7,7 @@
 		"automattic/jetpack-autoloader": "^5.0.0",
 		"automattic/jetpack-composer-plugin": "^4.0.0",
 		"automattic/jetpack-config": "^3.0.0",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-my-jetpack": "^5.1.1",
 		"automattic/jetpack-search": "^0.47.3-alpha",
 		"automattic/jetpack-stats": "^0.14.1",

jetpack_vendor/automattic/jetpack-boost-core/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1"
+		"automattic/jetpack-connection": "^6.2.0-alpha"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "^1.1.1",

jetpack_vendor/automattic/jetpack-connection/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.2.0-alpha] - unreleased
+
+This is an alpha version! The changes listed here are not final.
+
+### Added
+- REST user provisioning with an app password.
+
 ## [6.1.1] - 2024-12-04
 ### Changed
 - Updated package dependencies. [#40363]
@@ -1262,6 +1269,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Separate the connection library into its own package.
 
+[6.2.0-alpha]: https://github.com/Automattic/jetpack-connection/compare/v6.1.1...v6.2.0-alpha
 [6.1.1]: https://github.com/Automattic/jetpack-connection/compare/v6.1.0...v6.1.1
 [6.1.0]: https://github.com/Automattic/jetpack-connection/compare/v6.0.1...v6.1.0
 [6.0.1]: https://github.com/Automattic/jetpack-connection/compare/v6.0.0...v6.0.1

jetpack_vendor/automattic/jetpack-connection/composer.json

@@ -65,7 +65,7 @@
 			"link-template": "https://github.com/Automattic/jetpack-connection/compare/v${old}...v${new}"
 		},
 		"branch-alias": {
-			"dev-trunk": "6.1.x-dev"
+			"dev-trunk": "6.2.x-dev"
 		},
 		"dependencies": {
 			"test-only": [

jetpack_vendor/automattic/jetpack-connection/src/class-package-version.php

@@ -12,7 +12,7 @@
  */
 class Package_Version {
 
-	const PACKAGE_VERSION = '6.1.1';
+	const PACKAGE_VERSION = '6.2.0-alpha';
 
 	const PACKAGE_SLUG = 'connection';
 

jetpack_vendor/automattic/jetpack-connection/src/class-rest-connector.php

@@ -339,9 +339,15 @@ public static function remote_authorize( $request ) {
 	 *
 	 * @return WP_Error|array
 	 */
-	public static function remote_provision( WP_REST_Request $request ) {
+	public function remote_provision( WP_REST_Request $request ) {
+		$request_data = $request->get_params();
+
+		if ( did_action( 'application_password_did_authenticate' ) && current_user_can( 'jetpack_connect_user' ) ) {
+			$request_data['local_user'] = get_current_user_id();
+		}
+
 		$xmlrpc_server = new Jetpack_XMLRPC_Server();
-		$result        = $xmlrpc_server->remote_provision( $request );
+		$result        = $xmlrpc_server->remote_provision( $request_data );
 
 		if ( is_a( $result, 'IXR_Error' ) ) {
 			$result = new WP_Error( $result->code, $result->message );
@@ -393,9 +399,20 @@ public function remote_register( WP_REST_Request $request ) {
 	/**
 	 * Remote provision endpoint permission check.
 	 *
+	 * @param WP_REST_Request $request The request object.
+	 *
 	 * @return true|WP_Error
 	 */
-	public function remote_provision_permission_check() {
+	public function remote_provision_permission_check( WP_REST_Request $request ) {
+		// We allow the app password authentication only if 'local_user' is empty for security reasons.
+		if ( empty( $request['local_user'] ) && did_action( 'application_password_did_authenticate' ) ) {
+			if ( current_user_can( 'jetpack_connect_user' ) ) {
+				return true;
+			}
+
+			return new WP_Error( 'invalid_user_permission_remote_provision', self::get_user_permissions_error_msg(), array( 'status' => rest_authorization_required_code() ) );
+		}
+
 		return Rest_Authentication::is_signed_with_blog_token()
 			? true
 			: new WP_Error( 'invalid_permission_remote_provision', self::get_user_permissions_error_msg(), array( 'status' => rest_authorization_required_code() ) );

jetpack_vendor/automattic/jetpack-explat/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1"
+		"automattic/jetpack-connection": "^6.2.0-alpha"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "^1.1.1",

jetpack_vendor/automattic/jetpack-jitm/composer.json

@@ -7,7 +7,7 @@
 		"php": ">=7.2",
 		"automattic/jetpack-a8c-mc-stats": "^3.0.0",
 		"automattic/jetpack-assets": "^4.0.1",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-device-detection": "^3.0.0",
 		"automattic/jetpack-logo": "^3.0.0",
 		"automattic/jetpack-redirect": "^3.0.1",

jetpack_vendor/automattic/jetpack-licensing/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1"
+		"automattic/jetpack-connection": "^6.2.0-alpha"
 	},
 	"require-dev": {
 		"automattic/wordbless": "^0.4.2",

jetpack_vendor/automattic/jetpack-my-jetpack/composer.json

@@ -8,7 +8,7 @@
 		"automattic/jetpack-admin-ui": "^0.5.1",
 		"automattic/jetpack-assets": "^4.0.1",
 		"automattic/jetpack-boost-speed-score": "^0.4.0",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-explat": "^0.2.2",
 		"automattic/jetpack-jitm": "^4.0.2",
 		"automattic/jetpack-licensing": "^3.0.2",

jetpack_vendor/automattic/jetpack-protect-status/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-plugins-installer": "^0.5.0",
 		"automattic/jetpack-sync": "^4.0.2",
 		"automattic/jetpack-protect-models": "^0.4.1",

jetpack_vendor/automattic/jetpack-search/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-assets": "^4.0.1",
 		"automattic/jetpack-constants": "^3.0.1",
 		"automattic/jetpack-status": "^5.0.1",

jetpack_vendor/automattic/jetpack-stats/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-constants": "^3.0.1",
 		"automattic/jetpack-status": "^5.0.1"
 	},

jetpack_vendor/automattic/jetpack-sync/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1",
+		"automattic/jetpack-connection": "^6.2.0-alpha",
 		"automattic/jetpack-constants": "^3.0.1",
 		"automattic/jetpack-password-checker": "^0.4.1",
 		"automattic/jetpack-ip": "^0.4.1",

jetpack_vendor/i18n-map.php

@@ -26,7 +26,7 @@
     ),
     'jetpack-connection' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-connection',
-      'ver' => '6.1.1',
+      'ver' => '6.2.0-alpha1733428152',
     ),
     'jetpack-explat' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-explat',

vendor/automattic/jetpack-plans/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.1.1"
+		"automattic/jetpack-connection": "^6.2.0-alpha"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "^1.1.1",