Protect: WAF Phase 2

[nateweller]

Project branch for adding the second iteration of the WAF integration in Jetpack Protect.

This PR affects three projects:

• packages/waf: Adds separation between the toggling of automatic and manual rules.
• plugins/jetpack: Updates firewall settings UI to add the new automatic rule setting toggle.
• plugins/protect: Updates the firewall settings UI to add the new automatic rule setting toggle.

Changes proposed in this Pull Request:

Task	PR	Status
Add support for enabling automatic and manual rules independently of each other	#27724	🟣 Merged
Add a dedicated automatic-rules.php file	#28027	🟣 Merged
Toggle automatic rules in the Jetpack Settings UI	#27785	🟣 Merged
Toggle automatic rules in the Protect UI	#27663	🟣 Merged
Add a dedicated screen for editing manual rules	#27786	🟣 Merged
Add Waf_Rules_Manager class	#28084	🟣 Merged
Extract definition of constants from Waf_Runner to Waf_Constants	#28104	🟣 Merged
Update header to consider firewall off when no rules are turned on	#28326	🟣 Merged
Add rules versioning	D95826-code	🟣 Merged
Add post-upgrade messaging	#27787	🟣 Merged
Add Waf_Stats class	#27970	🟣 Merged
Add stats to controls	#28017	🟣 Merged
Extract REST API logic from main plugin class	#28217	🟣 Merged

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?

Jetpack product discussion

peb6dq-4G-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• Review all merged PRs, proof read file changes.
• Validate that all tests are passing.
• Smoke test the Jetpack and Protect plugins to ensure the firewall settings work as described.

Bonus Points:

• Install and activate Jetpack Protect. Validate that the "waf" module is automatically enabled.
• Turn on automatic rules. Validate that a ?test=<script> request is blocked. Validate the contents of the rule files in wp-content/jetpack-waf/rules/.
• Turn off automatic rules, and add manual rules. Validate the manual rules apply, but a ?test=<script> request is not blocked. Validate the contents of the rule files in wp-content/jetpack-waf/rules/.

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ⚠️ All commits were linted before commit.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Once your PR is ready for review, check one last time that all required checks (other than "Required review") appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team review" label and ask someone from your team review the code.
Once you’ve done so, switch to the "[Status] Needs Review" label; someone from Jetpack Crew will then review this PR and merge it to be included in the next Jetpack release.

---

Jetpack plugin:

• Next scheduled release: February 7, 2023.
• Scheduled code freeze: January 31, 2023.

---

Protect plugin:

• Next scheduled release: February 7, 2023.
• Scheduled code freeze: January 30, 2023.

[github-actions]

Are you an Automattician? You can now test your Pull Request on WordPress.com. On your sandbox, run bin/jetpack-downloader test jetpack add/protect-waf-phase-2 to get started. More details: p9dueE-5Nn-p2

[jeherve]

This looks good to me. I didn't test all scenarios with the standalone plugin, but I trust you've done that already :)

I'm suggesting a few changes but will apply them right away and approve the PR.

[jeherve]

@nateweller I keep getting the following Fatal error in my development environment since this was merged:

[01-Feb-2023 07:52:03 UTC] PHP Fatal error:  Uncaught Exception: Failed writing automatic rules file to: /var/www/html/wp-content/jetpack-waf/rules/automatic-rules.php in /usr/local/src/jetpack-monorepo/projects/packages/waf/src/class-waf-rules-manager.php:242
Stack trace:
#0 /usr/local/src/jetpack-monorepo/projects/packages/waf/src/class-waf-rules-manager.php(78): Automattic\Jetpack\Waf\Waf_Rules_Manager::generate_automatic_rules()
#1 /var/www/html/wp-includes/class-wp-hook.php(308): Automattic\Jetpack\Waf\Waf_Rules_Manager::update_rules_cron()
#2 /var/www/html/wp-includes/class-wp-hook.php(332): WP_Hook->apply_filters()
#3 /var/www/html/wp-includes/plugin.php(565): WP_Hook->do_action()
#4 /var/www/html/wp-cron.php(188): do_action_ref_array()
#5 {main}
  thrown in /usr/local/src/jetpack-monorepo/projects/packages/waf/src/class-waf-rules-manager.php on line 242

Anything we can do about that?

[nateweller]

You bet, I will address this and open up a PR 👍

[nateweller]

@jeherve I may have identified the potential cause of this, can you fill me in on the details of your local environment when this fatal is occurring?

• Is the waf module currently enabled or disabled?
• Does the wp-content/jetpack-waf directory exist? If so, what files are currently in that directory?

[nateweller]

Opened a PR to address this: #28760

[jeherve]

• It's enabled.
• I have a bootstrap.php and a rules directory. The rules directory has the following files: allow-ip.php, automatic-rules.php, block-ip.php, rules.php