Protect: Add standalone brute force protection support (#31761)

Automattic · Jul 18, 2023 · eff98a6 · eff98a6
1 parent d7fb216
commit eff98a6
Show file tree

Hide file tree

Showing 25 changed files with 408 additions and 203 deletions.
diff --git a/projects/packages/waf/changelog/add-protect-standalone-brute-force-access b/projects/packages/waf/changelog/add-protect-standalone-brute-force-access
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Add brute force protection access for particular environments that do not support the WAF
diff --git a/projects/packages/waf/composer.json b/projects/packages/waf/composer.json
@@ -60,7 +60,7 @@
 			"link-template": "https://github.com/Automattic/jetpack-waf/compare/v${old}...v${new}"
 		},
 		"branch-alias": {
-			"dev-trunk": "0.11.x-dev"
+			"dev-trunk": "0.12.x-dev"
 		}
 	},
 	"config": {

diff --git a/projects/packages/waf/src/class-brute-force-protection.php b/projects/packages/waf/src/class-brute-force-protection.php
@@ -212,6 +212,10 @@ public static function is_enabled() {
 	 * @return bool
 	 */
 	public static function enable() {
+		// Return true if already enabled.
+		if ( self::is_enabled() ) {
+			return true;
+		}
 		return ( new Modules() )->activate( 'protect', false, false );
 	}
 
@@ -221,6 +225,10 @@ public static function enable() {
 	 * @return bool
 	 */
 	public static function disable() {
+		// Return true if already disabled.
+		if ( ! self::is_enabled() ) {
+			return true;
+		}
 		return ( new Modules() )->deactivate( 'protect' );
 	}
 

diff --git a/projects/packages/waf/src/class-compatibility.php b/projects/packages/waf/src/class-compatibility.php
@@ -33,6 +33,11 @@ public static function add_compatibility_hooks() {
 	/**
 	 * Run compatibility migrations.
 	 *
+	 * Note that this method should be compatible with sites where
+	 * the request firewall is not active or not supported.
+	 *
+	 * @see Waf_Runner::is_supported_environment().
+	 *
 	 * @since 0.11.0
 	 *
 	 * @return void

diff --git a/projects/packages/waf/src/class-rest-controller.php b/projects/packages/waf/src/class-rest-controller.php
@@ -145,10 +145,13 @@ public static function update_waf( $request ) {
 			}
 		}
 
-		try {
-			Waf_Runner::update_waf();
-		} catch ( Waf_Exception $e ) {
-			return $e->get_wp_error();
+		// Only attempt to update the WAF if the module is supported
+		if ( Waf_Runner::is_supported_environment() ) {
+			try {
+				Waf_Runner::update_waf();
+			} catch ( Waf_Exception $e ) {
+				return $e->get_wp_error();
+			}
 		}
 
 		return self::waf();

diff --git a/projects/packages/waf/src/class-waf-initializer.php b/projects/packages/waf/src/class-waf-initializer.php
@@ -35,29 +35,30 @@ public static function init() {
 		// Ensure backwards compatibility
 		Waf_Compatibility::add_compatibility_hooks();
 
-		// Register REST routes.
+		// Register REST routes
 		add_action( 'rest_api_init', array( new REST_Controller(), 'register_rest_routes' ) );
 
-		// Run the WAF on supported environments
-		if ( Waf_Runner::is_supported_environment() ) {
-			// Update the WAF after installing or upgrading a relevant Jetpack plugin
-			add_action( 'upgrader_process_complete', __CLASS__ . '::update_waf_after_plugin_upgrade', 10, 2 );
-			add_action( 'admin_init', __CLASS__ . '::check_for_waf_update' );
+		// Update the WAF after installing or upgrading a relevant Jetpack plugin
+		add_action( 'upgrader_process_complete', __CLASS__ . '::update_waf_after_plugin_upgrade', 10, 2 );
 
-			// WAF activation/deactivation hooks
-			add_action( 'jetpack_activate_module_waf', __CLASS__ . '::on_waf_activation' );
-			add_action( 'jetpack_deactivate_module_waf', __CLASS__ . '::on_waf_deactivation' );
+		// Check for compatibility updates
+		add_action( 'admin_init', __CLASS__ . '::check_for_updates' );
 
-			// Run the WAF
-			Waf_Runner::initialize();
-		}
+		// WAF activation/deactivation hooks
+		add_action( 'jetpack_activate_module_waf', __CLASS__ . '::on_waf_activation' );
+		add_action( 'jetpack_deactivate_module_waf', __CLASS__ . '::on_waf_deactivation' );
 
 		// Brute force protection activation/deactivation hooks
 		add_action( 'jetpack_activate_module_protect', __CLASS__ . '::on_brute_force_protection_activation' );
 		add_action( 'jetpack_deactivate_module_protect', __CLASS__ . '::on_brute_force_protection_deactivation' );
 
 		// Run brute force protection
 		Brute_Force_Protection::initialize();
+
+		// Run the WAF
+		if ( Waf_Runner::is_supported_environment() ) {
+			Waf_Runner::initialize();
+		}
 	}
 
 	/**
@@ -164,31 +165,37 @@ public static function update_waf_after_plugin_upgrade( $upgrader, $hook_extra )
 	 *
 	 * @return bool|WP_Error True if the WAF is up-to-date or was sucessfully updated, WP_Error if the update failed.
 	 */
-	public static function check_for_waf_update() {
+	public static function check_for_updates() {
 		if ( get_option( self::NEEDS_UPDATE_OPTION_NAME ) ) {
-			// Compatiblity patch for cases where an outdated WAF_Constants class has been
-			// autoloaded by the standalone bootstrap execution at the beginning of the current request.
-			if ( ! method_exists( Waf_Constants::class, 'define_mode' ) ) {
+			if ( Waf_Runner::is_supported_environment() ) {
+				// Compatiblity patch for cases where an outdated WAF_Constants class has been
+				// autoloaded by the standalone bootstrap execution at the beginning of the current request.
+				if ( ! method_exists( Waf_Constants::class, 'define_mode' ) ) {
+					try {
+						( new Waf_Standalone_Bootstrap() )->generate();
+					} catch ( Waf_Exception $e ) {
+						return $e->get_wp_error();
+					}
+				}
+
+				Waf_Compatibility::run_compatibility_migrations();
+
+				Waf_Constants::define_mode();
+				if ( ! Waf_Runner::is_allowed_mode( JETPACK_WAF_MODE ) ) {
+					return new WP_Error( 'waf_mode_invalid', 'Invalid firewall mode.' );
+				}
+
 				try {
+					Waf_Rules_Manager::generate_ip_rules();
+					Waf_Rules_Manager::generate_rules();
 					( new Waf_Standalone_Bootstrap() )->generate();
 				} catch ( Waf_Exception $e ) {
 					return $e->get_wp_error();
 				}
-			}
-
-			Waf_Compatibility::run_compatibility_migrations();
-
-			Waf_Constants::define_mode();
-			if ( ! Waf_Runner::is_allowed_mode( JETPACK_WAF_MODE ) ) {
-				return new WP_Error( 'waf_mode_invalid', 'Invalid firewall mode.' );
-			}
-
-			try {
-				Waf_Rules_Manager::generate_ip_rules();
-				Waf_Rules_Manager::generate_rules();
-				( new Waf_Standalone_Bootstrap() )->generate();
-			} catch ( Waf_Exception $e ) {
-				return $e->get_wp_error();
+			} else {
+				// If the site doesn't support the request firewall,
+				// just migrate the IP allow list used by brute force protection.
+				Waf_Compatibility::migrate_brute_force_protection_ip_allow_list();
 			}
 		}
 

diff --git a/projects/plugins/debug-helper/changelog/add-protect-standalone-brute-force-access b/projects/plugins/debug-helper/changelog/add-protect-standalone-brute-force-access
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Add brute force protection access for particular environments that do not support the WAF
diff --git a/projects/plugins/debug-helper/modules/class-waf-helper.php b/projects/plugins/debug-helper/modules/class-waf-helper.php
@@ -182,7 +182,7 @@ public function render_ui() {
 		<hr>
 
 		<h2>Status</h2>
-		<p>Environment is supported: <code><?php echo Waf_Runner::is_supported_environment() ? 'true' : 'false'; ?></code></p>
+		<p>WAF is supported: <code><?php echo Waf_Runner::is_supported_environment() ? 'true' : 'false'; ?></code></p>
 		<p>Firewall status: <code><?php echo Waf_Runner::is_enabled() ? 'enabled' : 'disabled'; ?></code></p>
 
 		<hr>

diff --git a/projects/plugins/debug-helper/plugin.php b/projects/plugins/debug-helper/plugin.php
@@ -3,7 +3,7 @@
  * Plugin Name: Jetpack Debug Tools
  * Description: Give me a Jetpack connection, and I'll break it every way possible.
  * Author: Automattic - Jetpack Crew
- * Version: 1.6.1-alpha
+ * Version: 1.7.0-alpha
  * Text Domain: jetpack
  *
  * @package automattic/jetpack-debug-helper.
@@ -33,7 +33,7 @@
  * The plugin version.
  * Increase that if you do any edits to ensure refreshing the cached assets.
  */
-define( 'JETPACK_DEBUG_HELPER_VERSION', '1.6.1-alpha' );
+define( 'JETPACK_DEBUG_HELPER_VERSION', '1.7.0-alpha' );
 
 /**
  * Include file names from the modules directory here.

diff --git a/projects/plugins/jetpack/changelog/add-protect-standalone-brute-force-access b/projects/plugins/jetpack/changelog/add-protect-standalone-brute-force-access
@@ -0,0 +1,5 @@
+Significance: patch
+Type: other
+Comment: Updated composer.lock.
+
+
diff --git a/projects/plugins/jetpack/composer.lock b/projects/plugins/jetpack/composer.lock
diff --git a/projects/plugins/protect/changelog/add-protect-standalone-brute-force-access b/projects/plugins/protect/changelog/add-protect-standalone-brute-force-access
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Add brute force protection access for particular environments that do not support the WAF
diff --git a/projects/plugins/protect/changelog/add-protect-standalone-brute-force-access#2 b/projects/plugins/protect/changelog/add-protect-standalone-brute-force-access#2
@@ -0,0 +1,5 @@
+Significance: patch
+Type: changed
+Comment: Updated composer.lock.
+
+
diff --git a/projects/plugins/protect/composer.lock b/projects/plugins/protect/composer.lock
diff --git a/projects/plugins/protect/src/class-jetpack-protect.php b/projects/plugins/protect/src/class-jetpack-protect.php
@@ -13,6 +13,7 @@
 use Automattic\Jetpack\Assets;
 use Automattic\Jetpack\Connection\Initial_State as Connection_Initial_State;
 use Automattic\Jetpack\Connection\Manager as Connection_Manager;
+use Automattic\Jetpack\IP\Utils as IP_Utils;
 use Automattic\Jetpack\JITMS\JITM as JITM;
 use Automattic\Jetpack\Modules;
 use Automattic\Jetpack\My_Jetpack\Initializer as My_Jetpack_Initializer;
@@ -218,7 +219,8 @@ public function initial_state() {
 			'jetpackScan'       => My_Jetpack_Products::get_product( 'scan' ),
 			'hasRequiredPlan'   => Plan::has_required_plan(),
 			'waf'               => array(
-				'isSupported'         => Waf_Runner::is_supported_environment(),
+				'wafSupported'        => Waf_Runner::is_supported_environment(),
+				'currentIp'           => IP_Utils::get_ip(),
 				'isSeen'              => self::get_waf_seen_status(),
 				'upgradeIsSeen'       => self::get_waf_upgrade_seen_status(),
 				'displayUpgradeBadge' => self::get_waf_upgrade_badge_display_status(),

diff --git a/projects/plugins/protect/src/class-rest-controller.php b/projects/plugins/protect/src/class-rest-controller.php
@@ -12,6 +12,7 @@
 use Automattic\Jetpack\Connection\Rest_Authentication as Connection_Rest_Authentication;
 use Automattic\Jetpack\Waf\Waf_Runner;
 use Jetpack_Protect;
+use WP_Error;
 use WP_REST_Response;
 
 /**

diff --git a/projects/plugins/protect/src/js/components/admin-page/index.jsx b/projects/plugins/protect/src/js/components/admin-page/index.jsx
@@ -17,7 +17,7 @@ import useRegistrationWatcher from './use-registration-watcher';
 const AdminPage = ( { children } ) => {
 	useRegistrationWatcher();
 
-	const { isSupported: wafSupported, isSeen: wafSeen } = useWafData();
+	const { isSeen: wafSeen } = useWafData();
 	const { refreshPlan, startScanOptimistically, refreshStatus } = useDispatch( STORE_ID );
 	const { adminUrl } = window.jetpackProtectInitialState || {};
 	const { run, isRegistered, hasCheckoutStarted } = useProductCheckoutWorkflow( {
@@ -54,19 +54,17 @@ const AdminPage = ( { children } ) => {
 			<Container horizontalSpacing={ 0 }>
 				<Tabs className={ styles.navigation }>
 					<Tab link="/" label={ __( 'Scan', 'jetpack-protect' ) } />
-					{ wafSupported && (
-						<Tab
-							link="/firewall"
-							label={
-								<>
-									{ __( 'Firewall', 'jetpack-protect' ) }
-									{ wafSeen === false && (
-										<span className={ styles.badge }>{ __( 'New', 'jetpack-protect' ) }</span>
-									) }
-								</>
-							}
-						/>
-					) }
+					<Tab
+						link="/firewall"
+						label={
+							<>
+								{ __( 'Firewall', 'jetpack-protect' ) }
+								{ wafSeen === false && (
+									<span className={ styles.badge }>{ __( 'New', 'jetpack-protect' ) }</span>
+								) }
+							</>
+						}
+					/>
 				</Tabs>
 			</Container>
 			{ children }