-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WAF: Introduce separate toggles for the block and allow lists #38184
Conversation
Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.
Interested in more tips and information?
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available. Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped. Jetpack plugin: The Jetpack plugin has different release cadences depending on the platform:
If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack. Protect plugin:
If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack. |
75cfbb6
to
312f2e8
Compare
@@ -108,18 +108,25 @@ public static function update_waf( $request ) { | |||
|
|||
// IP Lists Enabled | |||
if ( isset( $request[ Waf_Rules_Manager::IP_LISTS_ENABLED_OPTION_NAME ] ) ) { | |||
_deprecated_argument( __METHOD__, '$next-version$', 'Use jetpack_waf_allow_list_enabled and jetpack_waf_block_list_enabled instead.' ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me, using _deprecated_argument
here feels like "best practice" so I've included it in the initial draft for this PR. However, there are a lot of WordPress sites out there running with WP_DEBUG
enabled in production, and I experienced this during my last support rotation.
It may be better to "silently" deprecate these features using a comment, as it is still possible for older versions of Jetpack or Protect to use the latest package version when one plugin is updated and the other is not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've gone ahead and removed this.
e40308e
to
3994bc9
Compare
f64c8d2
to
7708e25
Compare
2250eb0
to
51c4a90
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change introduces the allow list toggle to brute force login protection.
If the allow list toggle has never been set, default to true
as the allow list was always used in previous versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backwards compatibility changes.
- Ensure the bootstrap script is regenerated when one of the new IP list options changes.
- Provide default values for the new options, to preserve the behaviour of the site's previous settings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Keep support for the deprecated option in the REST API, as it may be used by an outdated plugin when both Jetpack and Protect are installed.
51c4a90
to
fc5342e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried as many ways as I could think of to test backward and cross compatibility and everything checks out. Was able to enable, upgrade, and downgrade without issue, update the lists from each location, and verify that requests (and login attempts when BFP is enabled) were blocked and allowed when my address was added/removed to either list.
@dkmyta Thank you for taking on this thorough review! 😄 |
The purpose of this PR is to replace the singular "Enable IP block/allow lists" option in the
waf
package with individual controls to toggle the block and allow lists on and off independently.This PR updates the package with the new functionality, in a backwards compatible way. Current and previous versions of Jetpack and Jetpack Protect, as well as the allow list in WordPress.com, should continue to work without regression.
Updated UI controls will be introduced to each related project in follow-up PRs.
Proposed changes:
Waf_Rules_Manager::IP_ALLOW_LIST_ENABLED_OPTION_NAME
andWaf_Rules_Manager::IP_BLOCK_LIST_OPTION_NAME
.Waf_Rules_Manager::IP_LISTS_OPTION_NAME
.IP_LISTS_OPTION_NAME
value in thewaf
package's REST API endpoints.IP_LISTS_OPTION_NAME
value.Other information:
Jetpack product discussion
peb6dq-2wI-p2
Does this pull request change what data or activity we track or use?
No
Testing instructions:
Repeat tests across environments:
Test the firewall settings in both Jetpack and Protect:
Test the allow list setting in Calypso:
jetpack build --production plugins/jetpack
jetpack rsync
to push the built Jetpack on your WPCOM sandbox.public-api.wordpress.com
.