WAF: Introduce separate toggles for the block and allow lists

[nateweller]

The purpose of this PR is to replace the singular "Enable IP block/allow lists" option in the waf package with individual controls to toggle the block and allow lists on and off independently.

This PR updates the package with the new functionality, in a backwards compatible way. Current and previous versions of Jetpack and Jetpack Protect, as well as the allow list in WordPress.com, should continue to work without regression.

Updated UI controls will be introduced to each related project in follow-up PRs.

Proposed changes:

• Adds Waf_Rules_Manager::IP_ALLOW_LIST_ENABLED_OPTION_NAME and Waf_Rules_Manager::IP_BLOCK_LIST_OPTION_NAME.
• Deprecates Waf_Rules_Manager::IP_LISTS_OPTION_NAME.
• Backwards compatibility: Maintains support for getting and setting the now-deprecated IP_LISTS_OPTION_NAME value in the waf package's REST API endpoints.
• Backwards compatibility: When either of the new options have not been set yet, they will default to the value of the deprecated IP_LISTS_OPTION_NAME value.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

peb6dq-2wI-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

Repeat tests across environments:

• Install production Jetpack, use Jetpack Beta to run this branch via Protect.
• Install production Protect, use Jetpack Beta to run this branch via Jetpack.

Test the firewall settings in both Jetpack and Protect:

• Enable and disable manual rules
• Update IP lists

Test the allow list setting in Calypso:

• Check out this branch in your local development environment.
• Run jetpack build --production plugins/jetpack
• Use jetpack rsync to push the built Jetpack on your WPCOM sandbox.
• Sandbox public-api.wordpress.com.
• Create and connect a JN site that is also running this branch of Jetpack.
• Test updating the IP allow list in Calypso security settings.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the add/waf/ip-list-toggles branch.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack add/waf/ip-list-toggles
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen daily.
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly. The next release is scheduled for August 6, 2024 (scheduled code freeze on August 5, 2024).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

---

Protect plugin:

• Next scheduled release: August 6, 2024.
• Scheduled code freeze: July 29, 2024.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[nateweller]

To me, using _deprecated_argument here feels like "best practice" so I've included it in the initial draft for this PR. However, there are a lot of WordPress sites out there running with WP_DEBUG enabled in production, and I experienced this during my last support rotation.

It may be better to "silently" deprecate these features using a comment, as it is still possible for older versions of Jetpack or Protect to use the latest package version when one plugin is updated and the other is not.

[nateweller]

I've gone ahead and removed this.

[nateweller]

This change introduces the allow list toggle to brute force login protection.

If the allow list toggle has never been set, default to true as the allow list was always used in previous versions.

[nateweller]

Backwards compatibility changes.

• Ensure the bootstrap script is regenerated when one of the new IP list options changes.
• Provide default values for the new options, to preserve the behaviour of the site's previous settings.

[nateweller]

• Keep support for the deprecated option in the REST API, as it may be used by an outdated plugin when both Jetpack and Protect are installed.

[dkmyta]

Tried as many ways as I could think of to test backward and cross compatibility and everything checks out. Was able to enable, upgrade, and downgrade without issue, update the lists from each location, and verify that requests (and login attempts when BFP is enabled) were blocked and allowed when my address was added/removed to either list.

[nateweller]

@dkmyta Thank you for taking on this thorough review! 😄