WAF: Remove unnecessary mode check before updating rule files

[nateweller]

Working towards the ability to update the IP allow list via update_waf regardless of the WAF module's status, I noticed that this check doesn't appear to be useful in several cases. We only use the JETPACK_WAF_MODE constant when actually running the firewall, it is not referenced when updating rules or regenerating the bootstrap file for example. See this comment below for more details.

This also helps unblock us from using these methods when the WAF is not enabled (no mode option set).

Proposed changes:

• Removes the Waf_Constants::define_mode() and subsequent Waf_Runner::is_allowed_mode() check from WAF methods that do not use the mode option.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

N/A

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• Validate that tests still pass: jetpack test packages/waf php
• Proof Read: Review the update_rules_if_changed method, and validate that the mode is never used.
• Regression test:
  • Ensure the firewall does not run when not activated.
  • Activate the firewall, ensure a request is blocked.
  • Set the jetpack_waf_mode option to "silent", ensure requests are not blocked.
  • Set the jetpack_waf_mode option to "invalid", ensure the firewall does not run.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the remove/waf/update-rules-mode-check branch.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack remove/waf/update-rules-mode-check
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

[dkmyta]

Tests pass, and functionality appears to remain the same when testing manually. I think I am not grasping the full context though, we continue to run this exact process (define_mode and is_allowed_mode) in a number of other WAF class methods:

• Waf_Initializer::check_for_updates
• Waf_Rules_Manager::update_rules_cron
• Waf_Runner::activate

I understand that the change is specific to the updating of rules but why is it that only this particular method can remove the check when these others seem to be processing similar actions?

[nateweller]

Tests pass, and functionality appears to remain the same when testing manually. I think I am not grasping the full context though, we continue to run this exact process (define_mode and is_allowed_mode) in a number of other WAF class methods:

* `Waf_Initializer::check_for_updates`

* `Waf_Rules_Manager::update_rules_cron`

* `Waf_Runner::activate`

I understand that the change is specific to the updating of rules but why is it that only this particular method can remove the check when these others seem to be processing similar actions?

Hmm... I think these "allowed mode" checks could also be updated or removed.

I recall these checks being a part of the initial version of the WAF, and I may have ended up copying it into a few methods where it isn't doing anything super useful. Or perhaps, updates to how we generate rules and the bootstrap file have made these unnecessary? Or... it may have always been this way 🤷

Anyways, the only time the WAF actually uses the JETPACK_WAF_MODE constant is at runtime, where it ensures the mode is set to "normal" before blocking a request. The alternative supported value being "silent", where the WAF should not actually block anything.

When running in not-standalone-mode, there is a check against the WAF mode in the initialization, which makes sense as it will be used in the runtime.

When running in standalone-mode, the constant is defined by the bootstrap scripts generated without actually checking if it is an "allowed" mode.

IMO we don't need to consider the mode when updating the rule files or activating the WAF, we just need to ensure the mode is valid when attempting to set the value, or use the value (i.e. run the WAF).

I'll make an update to this PR to reflect this...

[dkmyta]

LGTM