Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync Package: Replace use of Brute_Force_Protection class with a filter hook #38518

Merged
merged 4 commits into from
Aug 7, 2024
Merged

Sync Package: Replace use of Brute_Force_Protection class with a filter hook #38518

merged 4 commits into from
Aug 7, 2024

Conversation

nateweller
Copy link
Contributor

@nateweller nateweller commented Jul 24, 2024
edited
Loading

Fixes #38460

Proposed changes:

  • Adds a new jpp_has_login_ability filter to the waf package.
  • Uses the new jpp_has_login_ability filter in the sync package – when the waf package is available, it will provide the computed value through the WordPress hook. If it is unavailable, which technically/ideally should not happen, a default value of false is used.
  • Keeps the use of Brute_Force_Protection::has_login_ability() in the sync package, but with a conditional to prevent exceptions. This ensures functionality in cases where the sync package is updated (starts using filter), but the waf package is not (has not started providing filter).

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

#38460

Does this pull request change what data or activity we track or use?

No

Testing instructions:

  • Test on a site where the sync package is autoloaded from Jetpack Boost.
  • Install Jetpack (current release) and Jetpack Boost (feature branch) on a JN site.
  • Test the brute force login protection feature - repeatedly fail login attempts and verify you are presented the math challenge, and then eventually get hard blocked from accessing the login page.

@nateweller nateweller added the [Type] Bug When a feature is broken and / or not performing as intended label Jul 24, 2024
@nateweller nateweller requested review from jeherve and a team July 24, 2024 20:42
@nateweller nateweller self-assigned this Jul 24, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 24, 2024
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the fix/sync/remove-waf-class-usage branch.

    • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack fix/sync/remove-waf-class-usage

    bin/jetpack-downloader test jetpack-mu-wpcom-plugin fix/sync/remove-waf-class-usage

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 24, 2024
edited
Loading

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen daily.
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly. The next release is scheduled for none scheduled (scheduled code freeze on undefined).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@github-actions github-actions bot added [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Tests] Includes Tests labels Jul 24, 2024
@nateweller nateweller force-pushed the fix/sync/remove-waf-class-usage branch 3 times, most recently from c47605a to 2606179 Compare July 29, 2024 21:02
@nateweller nateweller marked this pull request as ready for review July 29, 2024 21:22
@nateweller nateweller added [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. [Status] Needs Team Review and removed [Status] In Progress labels Jul 29, 2024
jeherve
jeherve reviewed Aug 2, 2024
View reviewed changes
projects/packages/sync/src/modules/class-protect.php Outdated
@@ -46,8 +60,9 @@ public function init_listeners( $callback ) {
* @param array $failed_attempt Failed attempt data.
*/
public function maybe_log_failed_login_attempt( $failed_attempt ) {
$brute_force_protection = Brute_Force_Protection::instance();
if ( $brute_force_protection->has_login_ability() && ! Jetpack_Constants::is_true( 'XMLRPC_REQUEST' ) ) {
$has_login_ability = apply_filters( 'jpp_has_login_ability', $this->has_login_ability_fallback() );
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a docblock for this new filter, so it can be parsed and a Codex page can be automatically created? This may be an opportunity to rename it to use the proper jetpack_ prefix too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jeherve, applied these adjustments via d00182e 👍

@nateweller nateweller force-pushed the fix/sync/remove-waf-class-usage branch from 2606179 to d00182e Compare August 5, 2024 20:03
@nateweller nateweller requested a review from jeherve August 5, 2024 20:07
@nateweller
Remove use of Brute_Force_Protection class from the Sync package, rep…
19411fc 
…lace functionality with a filter hooked into by the Waf package

changelog

Remove error_logs

Update tests

changelog

Fix test set_up method

Conditionally keep the use of Brute_Force_Protection for cases where the sync package is updated, and the waf package has not been, meaning no filter has been registered
@nateweller
Add PHPDoc, change filter prefix from jpp_ to jetpack_
6e60bac
@nateweller
Fixup project versions
3e5fc23
@nateweller nateweller force-pushed the fix/sync/remove-waf-class-usage branch from 4bd6f3f to 3e5fc23 Compare August 6, 2024 19:12
jeherve
jeherve approved these changes Aug 7, 2024
View reviewed changes
Copy link
Member

@jeherve jeherve left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to test well for me. 👍

@jeherve jeherve removed the [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. label Aug 7, 2024
@nateweller nateweller merged commit 429aba0 into trunk Aug 7, 2024
72 checks passed
@nateweller nateweller deleted the fix/sync/remove-waf-class-usage branch August 7, 2024 18:24
@github-actions github-actions bot added this to the jetpack/13.8 milestone Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeherve jeherve jeherve approved these changes

Assignees

@nateweller nateweller

Labels
[Package] Sync [Package] WAF [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Tests] Includes Tests [Type] Bug When a feature is broken and / or not performing as intended
Projects
None yet
Milestone
jetpack/13.8
Development

Successfully merging this pull request may close these issues.

Protect / Sync: Brute_Force_Protection class not found
2 participants
@nateweller @jeherve