From 487bd3c4ba2ff203d943cca8fcbf14fe3acbb024 Mon Sep 17 00:00:00 2001 From: Mingsong Hu Date: Tue, 23 Aug 2022 09:55:36 +1000 Subject: [PATCH] Release 2.19.0 (#547) * [GOVCMSD9-872] Configure securitytxt module * [GOVCMSD9-872] Grant "view securitytxt" permission to all users via govcms.install * [GOVCMSD9-872] Add default settings for securitytxt module * [GOVCMSD9-872] Fix bug for the module name in the status report. * [GOVCMSD9-609] Update tugboat with php version 8.1 * Remove composer requirement for php in tugboat configuration * Update drupal/address requirement from 1.10.0 to 1.11.0 (#539) Signed-off-by: dependabot[bot] * Update GovCMS version in govcms.info.yml file for 2.19.0 --- .tugboat/config.yml | 2 +- composer.json | 2 +- config/install/securitytxt.settings.yml | 13 ++++ govcms.info.yml | 2 +- govcms.install | 17 +++++ .../govcms_security/govcms_security.info.yml | 1 + .../govcms_security/govcms_security.install | 76 +++++++++++++++++++ 7 files changed, 110 insertions(+), 3 deletions(-) create mode 100644 config/install/securitytxt.settings.yml diff --git a/.tugboat/config.yml b/.tugboat/config.yml index 6f7fc3a6e..d3a5ef6f9 100644 --- a/.tugboat/config.yml +++ b/.tugboat/config.yml @@ -4,7 +4,7 @@ services: image: tugboatqa/mysql:5 app: - image: tugboatqa/php:7.4-apache + image: tugboatqa/php:8.1-apache # Set this as the default service. This does a few things # 1. Clones the git repository into the service container # 2. Exposes port 80 to the Tugboat HTTP proxy diff --git a/composer.json b/composer.json index 07a1c0f90..add8ba870 100644 --- a/composer.json +++ b/composer.json @@ -47,7 +47,7 @@ "composer/installers": "^2.0", "cweagans/composer-patches": "^1.7", "dropzone/dropzone": "5.7.2", - "drupal/address": "1.10.0", + "drupal/address": "1.11.0", "drupal/admin_toolbar": "3.1.0", "drupal/adminimal_admin_toolbar": "1.11.0", "drupal/adminimal_theme": "1.6.0", diff --git a/config/install/securitytxt.settings.yml b/config/install/securitytxt.settings.yml new file mode 100644 index 000000000..86ef724fb --- /dev/null +++ b/config/install/securitytxt.settings.yml @@ -0,0 +1,13 @@ +enabled: true +contact_email: '' +contact_phone: '' +contact_page_url: 'https://www.govcms.gov.au/support/security/disclosure' +encryption_public_key_url: '' +policy_page_url: '' +acknowledgement_page_url: '' +signature_text: '' +contact_url: '' +encryption_key_url: '' +policy_url: '' +acknowledgement_url: '' + diff --git a/govcms.info.yml b/govcms.info.yml index ac914f07c..62e8b0e52 100644 --- a/govcms.info.yml +++ b/govcms.info.yml @@ -3,7 +3,7 @@ type: profile description: 'A GovCMS Drupal Distribution for government and the public sector in Australia.' project: govcms core_version_requirement: ^9 -version: '2.18.0' +version: '2.19.0' distribution: name: GovCMS diff --git a/govcms.install b/govcms.install index 825003e6f..4aafe8de7 100644 --- a/govcms.install +++ b/govcms.install @@ -8,6 +8,7 @@ use Drupal\node\Entity\Node; use Drupal\shortcut\Entity\Shortcut; use Drupal\menu_link_content\Entity\MenuLinkContent; +use Drupal\user\RoleInterface; /** * Define a default theme constant. @@ -127,6 +128,22 @@ function govcms_install() { 'use_default' => FALSE, ]) ->save(TRUE); + + // Grant the "view securitytxt" permission to all users by default. + // The Security Text module is a dependency of GovCMS Security module, + // which should be installed already at this point. + // govcms_security_update_9001() is doing the same thing as here. + // We might remove all updates for GovCMS 10. + // That is why we duplicated them here. + $module_handler = \Drupal::moduleHandler(); + if ($module_handler->moduleExists('user') && $module_handler->moduleExists('securitytxt')) { + // Anonymous role. + user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, [ + 'view securitytxt']); + // Authenticated role. + user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, [ + 'view securitytxt']); + } } /** diff --git a/modules/custom/core/govcms_security/govcms_security.info.yml b/modules/custom/core/govcms_security/govcms_security.info.yml index b61ef39e5..35e96b1bc 100644 --- a/modules/custom/core/govcms_security/govcms_security.info.yml +++ b/modules/custom/core/govcms_security/govcms_security.info.yml @@ -17,6 +17,7 @@ dependencies: - password_policy:password_policy_username - real_aes - seckit:seckit + - securitytxt - tfa - update_notifications_disable:update_notifications_disable - username_enumeration_prevention:username_enumeration_prevention diff --git a/modules/custom/core/govcms_security/govcms_security.install b/modules/custom/core/govcms_security/govcms_security.install index 223c540c0..0d85f63a1 100644 --- a/modules/custom/core/govcms_security/govcms_security.install +++ b/modules/custom/core/govcms_security/govcms_security.install @@ -4,3 +4,79 @@ * @file * Contains install and update functions for the module. */ +use Drupal\user\RoleInterface; + +/** + * Issue GOVCMSD9-713: Grant 'view securitytxt' permission from security.txt module to all users. + */ +function govcms_security_update_9001() { + $module_handler = \Drupal::moduleHandler(); + if ($module_handler) { + // We have to make sure the security text module is installed. + if (!($module_handler->moduleExists('securitytxt'))) { + // The Security Text module hasn't been installed, + // then we install that module here. + if (!(\Drupal::service('module_installer')->install(['securitytxt']))) { + // In case the Security Text module wasn't installed successfully, + // maybe due to that module doesn't exist in the file system. + // Here return a message to indicate that the critical module isn't installed. + return t('"security.txt" module has not been installed.'); + } + } + // Grant the "view securitytxt" permission to all users by default. + if ($module_handler->moduleExists('user')) { + // Anonymous role. + user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, [ + 'view securitytxt']); + // Authenticated role. + user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, [ + 'view securitytxt']); + } + } +} + +/** + * Implements hook_requirements + */ +function govcms_security_requirements($phase) { + // We only check the requirements during the runtime. + if ($phase !== 'runtime') { + return []; + } + + $requirements = []; + + /* ************************************************************************ */ + // Dependent modules. + /* ************************************************************************ */ + // Warn if any dependent modules are not installed. + // @see system_requirements() + $info = \Drupal::service('extension.list.module')->getExtensionInfo('govcms_security'); + $module_handler = \Drupal::moduleHandler(); + $dependencies = $info['dependencies'] ?? []; + // Modules list that haven't been enabled. + $disabled_modules = []; + + if (is_array($dependencies)) { + foreach ($dependencies as $dependency_name) { + // The dependency name could be {module}:{submodule} + // or {module}:{module}. + $project_module_name = explode(':', $dependency_name); + $module_name = $project_module_name[1] ?? $project_module_name[0]; + // Check if the dependent module has been enabled. + if (!($module_handler->moduleExists($module_name))) { + $disabled_modules[] = $module_name; + } + } + + if (!empty($disabled_modules)) { + $requirements['govcms_security_dependencies'] = [ + 'title' => t("GovCMS Security"), + 'value' => t('GovCMS security dependency error. Following module must be enable for security reason.'), + 'description' => t('%module_list', [ + '%module_list' => implode(', ', $disabled_modules)]), + 'severity' => REQUIREMENT_ERROR]; + } + } + return $requirements; +}