Protect: Turn on waf module by default and add UI control for automatic rules

projects/packages/waf/changelog/add-waf-automatic-rule-toggle

@@ -0,0 +1,4 @@
+Significance: minor
+Type: changed
+
+Change the web activation firewall to run automatic and manual rules independantly.

projects/packages/waf/src/class-rest-controller.php

@@ -86,6 +86,11 @@ public static function waf() {
 	 * @return WP_REST_Response
 	 */
 	public static function update_waf( $request ) {
+		// Automatic Rules Enabled
+		if ( isset( $request[ Waf_Runner::AUTOMATIC_RULES_ENABLED_OPTION_NAME ] ) ) {
+			update_option( Waf_Runner::AUTOMATIC_RULES_ENABLED_OPTION_NAME, (bool) $request->get_param( Waf_Runner::AUTOMATIC_RULES_ENABLED_OPTION_NAME ) );
+		}
+
 		// IP Lists Enabled
 		if ( isset( $request[ Waf_Runner::IP_LISTS_ENABLED_OPTION_NAME ] ) ) {
 			update_option( Waf_Runner::IP_LISTS_ENABLED_OPTION_NAME, (bool) $request->get_param( Waf_Runner::IP_LISTS_ENABLED_OPTION_NAME ) );

projects/packages/waf/src/class-waf-runner.php

@@ -16,18 +16,19 @@
  */
 class Waf_Runner {
 
-	const WAF_MODULE_NAME               = 'waf';
-	const WAF_RULES_VERSION             = '1.0.0';
-	const MODE_OPTION_NAME              = 'jetpack_waf_mode';
-	const IP_LISTS_ENABLED_OPTION_NAME  = 'jetpack_waf_ip_list';
-	const IP_ALLOW_LIST_OPTION_NAME     = 'jetpack_waf_ip_allow_list';
-	const IP_BLOCK_LIST_OPTION_NAME     = 'jetpack_waf_ip_block_list';
-	const RULES_FILE                    = __DIR__ . '/../rules/rules.php';
-	const ALLOW_IP_FILE                 = __DIR__ . '/../rules/allow-ip.php';
-	const BLOCK_IP_FILE                 = __DIR__ . '/../rules/block-ip.php';
-	const VERSION_OPTION_NAME           = 'jetpack_waf_rules_version';
-	const RULE_LAST_UPDATED_OPTION_NAME = 'jetpack_waf_last_updated_timestamp';
-	const SHARE_DATA_OPTION_NAME        = 'jetpack_waf_share_data';
+	const WAF_MODULE_NAME                     = 'waf';
+	const WAF_RULES_VERSION                   = '1.0.0';
+	const MODE_OPTION_NAME                    = 'jetpack_waf_mode';
+	const AUTOMATIC_RULES_ENABLED_OPTION_NAME = 'jetpack_waf_automatic_rules';
+	const IP_LISTS_ENABLED_OPTION_NAME        = 'jetpack_waf_ip_list';
+	const IP_ALLOW_LIST_OPTION_NAME           = 'jetpack_waf_ip_allow_list';
+	const IP_BLOCK_LIST_OPTION_NAME           = 'jetpack_waf_ip_block_list';
+	const RULES_FILE                          = __DIR__ . '/../rules/rules.php';
+	const ALLOW_IP_FILE                       = __DIR__ . '/../rules/allow-ip.php';
+	const BLOCK_IP_FILE                       = __DIR__ . '/../rules/block-ip.php';
+	const VERSION_OPTION_NAME                 = 'jetpack_waf_rules_version';
+	const RULE_LAST_UPDATED_OPTION_NAME       = 'jetpack_waf_last_updated_timestamp';
+	const SHARE_DATA_OPTION_NAME              = 'jetpack_waf_share_data';
 
 	/**
 	 * Run the WAF
@@ -56,9 +57,10 @@ public static function initialize() {
 	 * @return void
 	 */
 	public static function add_hooks() {
+		add_action( 'update_option_' . self::AUTOMATIC_RULES_ENABLED_OPTION_NAME, array( static::class, 'activate' ), 10, 0 );
+		add_action( 'update_option_' . self::IP_LISTS_ENABLED_OPTION_NAME, array( static::class, 'activate' ), 10, 0 );
 		add_action( 'update_option_' . self::IP_ALLOW_LIST_OPTION_NAME, array( static::class, 'activate' ), 10, 0 );
 		add_action( 'update_option_' . self::IP_BLOCK_LIST_OPTION_NAME, array( static::class, 'activate' ), 10, 0 );
-		add_action( 'update_option_' . self::IP_LISTS_ENABLED_OPTION_NAME, array( static::class, 'activate' ), 10, 0 );
 		add_action( 'jetpack_waf_rules_update_cron', array( static::class, 'update_rules_cron' ) );
 		// TODO: This doesn't exactly fit here - may need to find another home
 		if ( ! wp_next_scheduled( 'jetpack_waf_rules_update_cron' ) ) {
@@ -81,7 +83,7 @@ public static function define_mode() {
 	}
 
 	/**
-	 * Set the mode definition if it has not been set.
+	 * Set the share data definition if it has not been set.
 	 *
 	 * @return void
 	 */
@@ -136,6 +138,24 @@ public static function is_enabled() {
 		return true;
 	}
 
+	/**
+	 * Determines if automatic rules are enabled.
+	 *
+	 * @return bool
+	 */
+	public static function automatic_rules_enabled() {
+		// for backwards compatibility, if the automatic rules option does not exist and the
+		// module is active, consider automatic rules enabled
+		$option_exists = get_option( self::AUTOMATIC_RULES_ENABLED_OPTION_NAME ) === false;
+		if ( ! $option_exists && self::is_enabled() ) {
+			$is_enabled = true;
+		} else {
+			$is_enabled = (bool) get_option( self::AUTOMATIC_RULES_ENABLED_OPTION_NAME );
+		}
+
+		return $is_enabled;
+	}
+
 	/**
 	 * Enables the WAF module on the site.
 	 */
@@ -157,11 +177,12 @@ public static function disable() {
 	 */
 	public static function get_config() {
 		return array(
-			self::IP_LISTS_ENABLED_OPTION_NAME => get_option( self::IP_LISTS_ENABLED_OPTION_NAME ),
-			self::IP_ALLOW_LIST_OPTION_NAME    => get_option( self::IP_ALLOW_LIST_OPTION_NAME ),
-			self::IP_BLOCK_LIST_OPTION_NAME    => get_option( self::IP_BLOCK_LIST_OPTION_NAME ),
-			self::SHARE_DATA_OPTION_NAME       => get_option( self::SHARE_DATA_OPTION_NAME ),
-			'bootstrap_path'                   => self::get_bootstrap_file_path(),
+			self::AUTOMATIC_RULES_ENABLED_OPTION_NAME => get_option( self::AUTOMATIC_RULES_ENABLED_OPTION_NAME ),
+			self::IP_LISTS_ENABLED_OPTION_NAME        => get_option( self::IP_LISTS_ENABLED_OPTION_NAME ),
+			self::IP_ALLOW_LIST_OPTION_NAME           => get_option( self::IP_ALLOW_LIST_OPTION_NAME ),
+			self::IP_BLOCK_LIST_OPTION_NAME           => get_option( self::IP_BLOCK_LIST_OPTION_NAME ),
+			self::SHARE_DATA_OPTION_NAME              => get_option( self::SHARE_DATA_OPTION_NAME ),
+			'bootstrap_path'                          => self::get_bootstrap_file_path(),
 		);
 	}
 
@@ -268,6 +289,8 @@ public static function activate() {
 			add_option( self::VERSION_OPTION_NAME, self::WAF_RULES_VERSION );
 		}
 
+		add_option( self::AUTOMATIC_RULES_ENABLED_OPTION_NAME, false );
+		add_option( self::IP_LISTS_ENABLED_OPTION_NAME, false );
 		add_option( self::SHARE_DATA_OPTION_NAME, true );
 
 		self::initialize_filesystem();
@@ -440,29 +463,29 @@ public static function generate_rules() {
 
 		self::initialize_filesystem();
 
+		$rules               = "<?php\n";
 		$api_exception       = null;
 		$throw_api_exception = true;
-		try {
-			$rules = self::get_rules_from_api();
-		} catch ( \Exception $e ) {
-			if ( 401 === $e->getCode() ) {
-				// do not throw API exceptions for users who do not have access
-				$throw_api_exception = false;
-			}
 
-			if ( $wp_filesystem->exists( self::RULES_FILE ) && $throw_api_exception ) {
-				throw $e;
+		// Add automatic rules
+		if ( self::automatic_rules_enabled() ) {
+			try {
+				$rules = self::get_rules_from_api();
+			} catch ( \Exception $e ) {
+				if ( 401 === $e->getCode() ) {
+					// do not throw API exceptions for users who do not have access
+					$throw_api_exception = false;
+				}
+
+				if ( $wp_filesystem->exists( self::RULES_FILE ) && $throw_api_exception ) {
+					throw $e;
+				}
+
+				$api_exception = $e;
 			}
-
-			$rules         = "<?php\n";
-			$api_exception = $e;
-		}
-
-		// Ensure that the folder exists.
-		if ( ! $wp_filesystem->is_dir( dirname( self::RULES_FILE ) ) ) {
-			$wp_filesystem->mkdir( dirname( self::RULES_FILE ) );
 		}
 
+		// Add manual rules
 		$ip_allow_rules = self::ALLOW_IP_FILE;
 		$ip_block_rules = self::BLOCK_IP_FILE;
 
@@ -474,6 +497,11 @@ public static function generate_rules() {
 
 		$rules = implode( "\n", $rules_divided_by_line );
 
+		// Ensure that the folder exists.
+		if ( ! $wp_filesystem->is_dir( dirname( self::RULES_FILE ) ) ) {
+			$wp_filesystem->mkdir( dirname( self::RULES_FILE ) );
+		}
+
 		if ( ! $wp_filesystem->put_contents( self::RULES_FILE, $rules ) ) {
 			throw new \Exception( 'Failed writing rules file to: ' . self::RULES_FILE );
 		}

projects/plugins/jetpack/changelog/update-waf-tests

@@ -0,0 +1,4 @@
+Significance: patch
+Type: compat
+
+Update tests for compat with new firewall settings

projects/plugins/jetpack/tests/e2e/helpers/waf-helper.js

@@ -0,0 +1,7 @@
+import { execWpCommand } from 'jetpack-e2e-commons/helpers/utils-helper.cjs';
+import logger from 'jetpack-e2e-commons/logger.cjs';
+
+export async function enableAutomaticRules() {
+	logger.sync( 'Enabling automatic firewall rules' );
+	return execWpCommand( 'option update jetpack_waf_automatic_rules 1' );
+}

projects/plugins/jetpack/tests/e2e/specs/post-connection/waf-blocking.test.js

@@ -3,6 +3,7 @@ import { WpPage } from 'jetpack-e2e-commons/pages/index.js';
 import playwrightConfig from '../../playwright.config.cjs';
 import { Plans, prerequisitesBuilder } from 'jetpack-e2e-commons/env/index.js';
 import { resolveSiteUrl } from 'jetpack-e2e-commons/helpers/utils-helper.cjs';
+import { enableAutomaticRules } from '../../helpers/waf-helper.js';
 
 test.describe.parallel( 'WAF Blocking', () => {
 	test.beforeAll( async ( { browser } ) => {
@@ -18,6 +19,7 @@ test.describe.parallel( 'WAF Blocking', () => {
 			.withPlan( Plans.Complete )
 			.withActiveModules( [ 'waf' ] )
 			.build();
+		await enableAutomaticRules();
 		await page.close();
 	} );
 

projects/plugins/protect/jetpack-protect.php

@@ -116,6 +116,7 @@ function ( $actions ) {
 	}
 );
 
+register_activation_hook( __FILE__, array( 'Jetpack_Protect', 'plugin_activation' ) );
 register_deactivation_hook( __FILE__, array( 'Jetpack_Protect', 'plugin_deactivation' ) );
 
 // Main plugin class.

projects/plugins/protect/src/class-jetpack-protect.php

@@ -15,6 +15,7 @@
 use Automattic\Jetpack\Connection\Manager as Connection_Manager;
 use Automattic\Jetpack\Connection\Rest_Authentication as Connection_Rest_Authentication;
 use Automattic\Jetpack\JITMS\JITM as JITM;
+use Automattic\Jetpack\Modules;
 use Automattic\Jetpack\My_Jetpack\Initializer as My_Jetpack_Initializer;
 use Automattic\Jetpack\My_Jetpack\Products as My_Jetpack_Products;
 use Automattic\Jetpack\Plugins_Installer;
@@ -34,7 +35,8 @@
  */
 class Jetpack_Protect {
 
-	const JETPACK_WAF_MODULE_SLUG = 'waf';
+	const JETPACK_WAF_MODULE_SLUG           = 'waf';
+	const JETPACK_PROTECT_ACTIVATION_OPTION = JETPACK_PROTECT_SLUG . '_activated';
 
 	/**
 	 * Constructor.
@@ -43,6 +45,9 @@ public function __construct() {
 		add_action( 'init', array( $this, 'init' ) );
 		add_action( '_admin_menu', array( $this, 'admin_page_init' ) );
 
+		// Activate the module as the plugin is activated
+		add_action( 'admin_init', array( $this, 'do_plugin_activation_activities' ) );
+
 		// Init Jetpack packages
 		add_action(
 			'plugins_loaded',
@@ -218,6 +223,44 @@ public function plugin_settings_page() {
 		<?php
 	}
 
+	/**
+	 * Activate the WAF module on plugin activation.
+	 *
+	 * @static
+	 */
+	public static function plugin_activation() {
+		add_option( self::JETPACK_PROTECT_ACTIVATION_OPTION, true );
+	}
+
+	/**
+	 * Helper to check that we have a Jetpack connection.
+	 */
+	private static function is_connected() {
+		$manager = new Connection_Manager();
+		return $manager->is_connected() && $manager->has_connected_user();
+	}
+
+	/**
+	 * Runs on admin_init, and does actions required on plugin activation, based on
+	 * the activation option.
+	 *
+	 * This needs to be run after the activation hook, as that results in a redirect,
+	 * and we need the sync module's actions and filters to be registered.
+	 */
+	public static function do_plugin_activation_activities() {
+		if ( get_option( self::JETPACK_PROTECT_ACTIVATION_OPTION ) && self::is_connected() ) {
+			self::activate_module();
+		}
+	}
+
+	/**
+	 * Activates the Publicize module and disables the activation option
+	 */
+	public static function activate_module() {
+		delete_option( self::JETPACK_PROTECT_ACTIVATION_OPTION );
+		( new Modules() )->activate( self::JETPACK_WAF_MODULE_SLUG, false, false );
+	}
+
 	/**
 	 * Removes plugin from the connection manager
 	 * If it's the last plugin using the connection, the site will be disconnected.

projects/plugins/protect/src/js/components/admin-page/index.jsx

@@ -5,6 +5,7 @@ import { useDispatch } from '@wordpress/data';
 import { __ } from '@wordpress/i18n';
 import { addQueryArgs, getQueryArg } from '@wordpress/url';
 import React, { useEffect } from 'react';
+import { JETPACK_SCAN_SLUG } from '../../constants';
 import useWafData from '../../hooks/use-waf-data';
 import { STORE_ID } from '../../state/store';
 import InterstitialPage from '../interstitial-page';
@@ -13,16 +14,14 @@ import Tabs, { Tab } from '../tabs';
 import styles from './styles.module.scss';
 import useRegistrationWatcher from './use-registration-watcher';
 
-export const JETPACK_SCAN = 'jetpack_scan';
-
 const AdminPage = ( { children } ) => {
 	useRegistrationWatcher();
 
 	const { isSeen: wafSeen } = useWafData();
 	const { refreshPlan, startScanOptimistically, refreshStatus } = useDispatch( STORE_ID );
 	const { adminUrl } = window.jetpackProtectInitialState || {};
 	const { run, isRegistered, hasCheckoutStarted } = useProductCheckoutWorkflow( {
-		productSlug: JETPACK_SCAN,
+		productSlug: JETPACK_SCAN_SLUG,
 		redirectUrl: addQueryArgs( adminUrl, { checkPlan: true } ),
 		siteProductAvailabilityHandler: async () =>
 			apiFetch( {