diff --git a/core/assets/scaffold/files/default.settings.php b/core/assets/scaffold/files/default.settings.php
index d0fbcd3512fb1c21c637dc40ed782f60bfb91e1d..0165492a545e74127e36d644e0c341e5f9f827cf 100644
--- a/core/assets/scaffold/files/default.settings.php
+++ b/core/assets/scaffold/files/default.settings.php
@@ -308,16 +308,18 @@
$settings['update_free_access'] = FALSE;
/**
- * Fallback to HTTP for Update Manager.
- *
- * If your Drupal site fails to connect to updates.drupal.org using HTTPS to
- * fetch Drupal core, module and theme update status, you may uncomment this
- * setting and set it to TRUE to allow an insecure fallback to HTTP. Note that
- * doing so will open your site up to a potential man-in-the-middle attack. You
- * should instead attempt to resolve the issues before enabling this option.
+ * Fallback to HTTP for Update Manager and for fetching security advisories.
+ *
+ * If your site fails to connect to updates.drupal.org over HTTPS (either when
+ * fetching data on available updates, or when fetching the feed of critical
+ * security announcements), you may uncomment this setting and set it to TRUE to
+ * allow an insecure fallback to HTTP. Note that doing so will open your site up
+ * to a potential man-in-the-middle attack. You should instead attempt to
+ * resolve the issues before enabling this option.
* @see https://www.drupal.org/docs/system-requirements/php-requirements#openssl
* @see https://en.wikipedia.org/wiki/Man-in-the-middle_attack
* @see \Drupal\update\UpdateFetcher
+ * @see \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
*/
# $settings['update_fetch_with_http_fallback'] = TRUE;
diff --git a/core/lib/Drupal/Core/Extension/ExtensionVersion.php b/core/lib/Drupal/Core/Extension/ExtensionVersion.php
new file mode 100644
index 0000000000000000000000000000000000000000..928744dbd9a905ff8093deb1590ef2fb08eff063
--- /dev/null
+++ b/core/lib/Drupal/Core/Extension/ExtensionVersion.php
@@ -0,0 +1,158 @@
+<?php
+
+namespace Drupal\Core\Extension;
+
+/**
+ * Provides an extension version value object.
+ *
+ * @internal
+ *
+ * @see https://www.drupal.org/drupalorg/docs/apis/update-status-xml
+ */
+final class ExtensionVersion {
+
+ /**
+ * The '8.x-' prefix is used on contrib extension version numbers.
+ *
+ * @var string
+ */
+ const CORE_PREFIX = '8.x-';
+
+ /**
+ * The major version.
+ *
+ * @var string
+ */
+ protected $majorVersion;
+
+ /**
+ * The minor version.
+ *
+ * @var string|null
+ */
+ protected $minorVersion;
+
+ /**
+ * The version extra string.
+ *
+ * For example, if the extension version is '2.0.3-alpha1', then the version
+ * extra string is 'alpha1'.
+ *
+ * @var string|null
+ */
+ protected $versionExtra;
+
+ /**
+ * Constructs an extension version object from a version string.
+ *
+ * @param string $version_string
+ * The version string.
+ *
+ * @return \Drupal\Core\Extension\ExtensionVersion
+ * The extension version instance.
+ */
+ public static function createFromVersionString(string $version_string): ExtensionVersion {
+ $original_version = $version_string;
+ if (strpos($version_string, static::CORE_PREFIX) === 0 && $version_string !== '8.x-dev') {
+ $version_string = preg_replace('/8\.x-/', '', $version_string, 1);
+ }
+ else {
+ // Ensure the version string has no unsupported core prefixes.
+ $dot_x_position = strpos($version_string, '.x-');
+ if ($dot_x_position === 1 || $dot_x_position === 2) {
+ $after_core_prefix = explode('.x-', $version_string)[1];
+ if ($after_core_prefix !== 'dev') {
+ throw new \UnexpectedValueException("Unexpected version core prefix in $version_string. The only core prefix expected in \Drupal\Core\Extension\ExtensionVersion is: 8.x-");
+ }
+ }
+ }
+ $version_parts = explode('.', $version_string);
+ $major_version = $version_parts[0];
+ $version_parts_count = count($version_parts);
+ if ($version_parts_count === 2) {
+ $minor_version = NULL;
+ }
+ elseif ($version_parts_count === 3) {
+ $minor_version = $version_parts[1];
+ }
+ $last_part_split = explode('-', $version_parts[count($version_parts) - 1]);
+ $version_extra = count($last_part_split) === 1 ? NULL : $last_part_split[1];
+ if ($version_parts_count > 3
+ || $version_parts_count < 2
+ || !is_numeric($major_version)
+ || ($version_parts_count === 3 && !is_numeric($version_parts[1]))
+ // The only case where a non-numeric version part other the extra part is
+ // allowed is in development versions like 8.x-1.x-dev, 1.2.x-dev or
+ // 1.x-dev.
+ || (!is_numeric($last_part_split[0]) && $last_part_split !== 'x' && $version_extra !== 'dev')) {
+ throw new \UnexpectedValueException("Unexpected version number in: $original_version");
+ }
+ return new static($major_version, $minor_version, $version_extra);
+ }
+
+ /**
+ * Constructs an ExtensionVersion object.
+ *
+ * @param string $major_version
+ * The major version.
+ * @param string|null $minor_version
+ * The minor version.
+ * @param string|null $version_extra
+ * The extra version string.
+ */
+ private function __construct(string $major_version, ?string $minor_version, ?string $version_extra) {
+ $this->majorVersion = $major_version;
+ $this->minorVersion = $minor_version;
+ $this->versionExtra = $version_extra;
+ }
+
+ /**
+ * Constructs an ExtensionVersion version object from a support branch.
+ *
+ * This can be used to determine the major version of the branch.
+ * ::getVersionExtra() will always return NULL for branches.
+ *
+ * @param string $branch
+ * The support branch.
+ *
+ * @return \Drupal\Core\Extension\ExtensionVersion
+ * The ExtensionVersion instance.
+ */
+ public static function createFromSupportBranch(string $branch): ExtensionVersion {
+ if (substr($branch, -1) !== '.') {
+ throw new \UnexpectedValueException("Invalid support branch: $branch");
+ }
+ return static::createFromVersionString($branch . '0');
+ }
+
+ /**
+ * Gets the major version.
+ *
+ * @return string
+ * The major version.
+ */
+ public function getMajorVersion(): string {
+ return $this->majorVersion;
+ }
+
+ /**
+ * Gets the minor version.
+ *
+ * @return string|null
+ * The minor version.
+ */
+ public function getMinorVersion(): ?string {
+ return $this->minorVersion;
+ }
+
+ /**
+ * Gets the version extra string at the end of the version number.
+ *
+ * @return string|null
+ * The version extra string if available, or otherwise NULL.
+ */
+ public function getVersionExtra(): ?string {
+ return $this->versionExtra;
+ }
+
+}
diff --git a/core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php b/core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php
index 63bf5c75fa838d663876ff8d1de3c1fd3f4dafdf..2e8594b564e4ae0a3bf108f1bbff24a31954c5b2 100644
--- a/core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php
+++ b/core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php
@@ -102,6 +102,16 @@ protected function prepareSettings() {
'value' => $this->apcuEnsureUniquePrefix,
'required' => TRUE,
];
+ // Disable fetching of advisories during tests to avoid outbound calls. This
+ // cannot be set in ::initConfig() because it would not stop these calls
+ // during install. Tests that need to have the security advisories
+ // functionality enabled should override this method and unset this
+ // variable.
+ // @see \Drupal\Tests\system\Functional\SecurityAdvisories\SecurityAdvisoryTest::writeSettings()
+ $settings['config']['system.advisories']['enabled'] = (object) [
+ 'value' => FALSE,
+ 'required' => TRUE,
+ ];
$this->writeSettings($settings);
// Allow for test-specific overrides.
$settings_testing_file = DRUPAL_ROOT . '/' . $this->originalSite . '/settings.testing.php';
diff --git a/core/modules/media/tests/src/Traits/OEmbedTestTrait.php b/core/modules/media/tests/src/Traits/OEmbedTestTrait.php
index a3699ff690720b77c2b0250764ab24f156add81a..555540f42d19b32813295a4af556953d3e9a248c 100644
--- a/core/modules/media/tests/src/Traits/OEmbedTestTrait.php
+++ b/core/modules/media/tests/src/Traits/OEmbedTestTrait.php
@@ -55,6 +55,10 @@ protected function lockHttpClientToFixtures() {
],
],
]);
+ // Rebuild the container in case there is already an instantiated service
+ // that has a dependency on the http_client service.
+ $this->container->get('kernel')->rebuildContainer();
+ $this->container = $this->container->get('kernel')->getContainer();
}
/**
diff --git a/core/modules/system/config/install/system.advisories.yml b/core/modules/system/config/install/system.advisories.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bfdac86895372f2ab56c25bdaada9907b5eada1c
--- /dev/null
+++ b/core/modules/system/config/install/system.advisories.yml
@@ -0,0 +1,2 @@
+enabled: true
+interval_hours: 6
diff --git a/core/modules/system/config/schema/system.schema.yml b/core/modules/system/config/schema/system.schema.yml
index 3a96ffecbe932a4d4c201c275524cce29d49ac6d..2899d6b4f7fbd5665edd4d9ebcbe32b6e271cd72 100644
--- a/core/modules/system/config/schema/system.schema.yml
+++ b/core/modules/system/config/schema/system.schema.yml
@@ -303,6 +303,17 @@ system.theme.global:
type: theme_settings
label: 'Theme global settings'
+system.advisories:
+ type: config_object
+ label: 'Security advisory settings'
+ mapping:
+ enabled:
+ type: boolean
+ label: 'Display critical security advisories'
+ interval_hours:
+ type: integer
+ label: 'How often to check for security advisories, in hours'
+
block.settings.system_branding_block:
type: block_settings
label: 'Branding block'
diff --git a/core/modules/system/src/EventSubscriber/AdvisoriesConfigSubscriber.php b/core/modules/system/src/EventSubscriber/AdvisoriesConfigSubscriber.php
new file mode 100644
index 0000000000000000000000000000000000000000..91e5c127d042b2b13adb550ade0058e7813cbbf5
--- /dev/null
+++ b/core/modules/system/src/EventSubscriber/AdvisoriesConfigSubscriber.php
@@ -0,0 +1,61 @@
+<?php
+
+namespace Drupal\system\EventSubscriber;
+
+use Drupal\Core\Config\ConfigCrudEvent;
+use Drupal\Core\Config\ConfigEvents;
+use Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Defines a config subscriber for changes to 'system.advisories'.
+ */
+class AdvisoriesConfigSubscriber implements EventSubscriberInterface {
+
+ /**
+ * The security advisory fetcher service.
+ *
+ * @var \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
+ */
+ protected $securityAdvisoriesFetcher;
+
+ /**
+ * Constructs a new ConfigSubscriber object.
+ *
+ * @param \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher $security_advisories_fetcher
+ * The security advisory fetcher service.
+ */
+ public function __construct(SecurityAdvisoriesFetcher $security_advisories_fetcher) {
+ $this->securityAdvisoriesFetcher = $security_advisories_fetcher;
+ }
+
+ /**
+ * Deletes the stored response from the security advisories feed, if needed.
+ *
+ * The stored response will only be deleted if the 'interval_hours' config
+ * setting is reduced from the previous value.
+ *
+ * @param \Drupal\Core\Config\ConfigCrudEvent $event
+ * The configuration event.
+ */
+ public function onConfigSave(ConfigCrudEvent $event): void {
+ $saved_config = $event->getConfig();
+ if ($saved_config->getName() === 'system.advisories' && $event->isChanged('interval_hours')) {
+ $original_interval = $saved_config->getOriginal('interval_hours');
+ if ($original_interval && $saved_config->get('interval_hours') < $original_interval) {
+ // If the new interval is less than the original interval, delete the
+ // stored results.
+ $this->securityAdvisoriesFetcher->deleteStoredResponse();
+ }
+ }
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public static function getSubscribedEvents(): array {
+ $events[ConfigEvents::SAVE][] = ['onConfigSave'];
+ return $events;
+ }
+
+}
diff --git a/core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php b/core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php
new file mode 100644
index 0000000000000000000000000000000000000000..486ea5783f084e6b1a0eccc47ad09bae8e02670b
--- /dev/null
+++ b/core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php
@@ -0,0 +1,331 @@
+<?php
+
+namespace Drupal\system\SecurityAdvisories;
+
+use Drupal\Component\Serialization\Json;
+use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\Core\Extension\ModuleExtensionList;
+use Drupal\Core\Extension\ProfileExtensionList;
+use Drupal\Core\Extension\ThemeExtensionList;
+use Drupal\Core\KeyValueStore\KeyValueExpirableFactoryInterface;
+use Drupal\Core\Site\Settings;
+use Drupal\Core\Utility\ProjectInfo;
+use Drupal\Core\Extension\ExtensionVersion;
+use GuzzleHttp\Client;
+use GuzzleHttp\Exception\TransferException;
+use GuzzleHttp\RequestOptions;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Defines a service to get security advisories.
+ */
+final class SecurityAdvisoriesFetcher {
+
+ /**
+ * The key to use to store the advisories feed response.
+ */
+ protected const ADVISORIES_JSON_EXPIRABLE_KEY = 'advisories_response';
+
+ /**
+ * The 'system.advisories' configuration.
+ *
+ * @var \Drupal\Core\Config\ImmutableConfig
+ */
+ protected $config;
+
+ /**
+ * The HTTP client.
+ *
+ * @var \GuzzleHttp\Client
+ */
+ protected $httpClient;
+
+ /**
+ * The expirable key/value store for the advisories JSON response.
+ *
+ * @var \Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface
+ */
+ protected $keyValueExpirable;
+
+ /**
+ * Array of extension lists, keyed by extension type.
+ *
+ * @var \Drupal\Core\Extension\ExtensionList[]
+ */
+ protected $extensionLists = [];
+
+ /**
+ * The logger.
+ *
+ * @var \Psr\Log\LoggerInterface
+ */
+ protected $logger;
+
+ /**
+ * Whether to fall back to HTTP if the HTTPS request fails.
+ *
+ * @var bool
+ */
+ protected $withHttpFallback;
+
+ /**
+ * Constructs a new SecurityAdvisoriesFetcher object.
+ *
+ * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
+ * The config factory.
+ * @param \Drupal\Core\KeyValueStore\KeyValueExpirableFactoryInterface $key_value_factory
+ * The expirable key/value factory.
+ * @param \GuzzleHttp\Client $client
+ * The HTTP client.
+ * @param \Drupal\Core\Extension\ModuleExtensionList $module_list
+ * The module extension list.
+ * @param \Drupal\Core\Extension\ThemeExtensionList $theme_list
+ * The theme extension list.
+ * @param \Drupal\Core\Extension\ProfileExtensionList $profile_list
+ * The profile extension list.
+ * @param \Psr\Log\LoggerInterface $logger
+ * The logger.
+ * @param \Drupal\Core\Site\Settings $settings
+ * The settings instance.
+ */
+ public function __construct(ConfigFactoryInterface $config_factory, KeyValueExpirableFactoryInterface $key_value_factory, Client $client, ModuleExtensionList $module_list, ThemeExtensionList $theme_list, ProfileExtensionList $profile_list, LoggerInterface $logger, Settings $settings) {
+ $this->config = $config_factory->get('system.advisories');
+ $this->keyValueExpirable = $key_value_factory->get('system');
+ $this->httpClient = $client;
+ $this->extensionLists['module'] = $module_list;
+ $this->extensionLists['theme'] = $theme_list;
+ $this->extensionLists['profile'] = $profile_list;
+ $this->logger = $logger;
+ $this->withHttpFallback = $settings->get('update_fetch_with_http_fallback', FALSE);
+ }
+
+ /**
+ * Gets security advisories that are applicable for the current site.
+ *
+ * @param bool $allow_outgoing_request
+ * (optional) Whether to allow an outgoing request to fetch the advisories
+ * if there is no stored JSON response. Defaults to TRUE.
+ * @param int $timeout
+ * (optional) The timeout in seconds for the request. Defaults to 0, which
+ * is no timeout.
+ *
+ * @return \Drupal\system\SecurityAdvisories\SecurityAdvisory[]|null
+ * The upstream security advisories, if any. NULL if there was a problem
+ * retrieving the JSON feed, or if there was no stored response and
+ * $allow_outgoing_request was set to FALSE.
+ *
+ * @throws \GuzzleHttp\Exception\TransferException
+ * Thrown if an error occurs while retrieving security advisories.
+ */
+ public function getSecurityAdvisories(bool $allow_outgoing_request = TRUE, int $timeout = 0): ?array {
+ $advisories = [];
+
+ $json_payload = $this->keyValueExpirable->get(self::ADVISORIES_JSON_EXPIRABLE_KEY);
+ // If $json_payload is not an array then it was not set in this method or
+ // has expired in which case we should try to retrieve the advisories.
+ if (!is_array($json_payload)) {
+ if (!$allow_outgoing_request) {
+ return NULL;
+ }
+ $response = $this->doRequest($timeout);
+ $interval_seconds = $this->config->get('interval_hours') * 60 * 60;
+ $json_payload = Json::decode($response);
+ if (is_array($json_payload)) {
+ // Only store and use the response if it could be successfully
+ // decoded to an array from the JSON string.
+ // This value will be deleted if the 'advisories.interval_hours' config
+ // is changed to a lower value.
+ // @see \Drupal\update\EventSubscriber\ConfigSubscriber::onConfigSave()
+ $this->keyValueExpirable->setWithExpire(self::ADVISORIES_JSON_EXPIRABLE_KEY, $json_payload, $interval_seconds);
+ }
+ else {
+ $this->logger->error('The security advisory JSON feed from Drupal.org could not be decoded.');
+ return NULL;
+ }
+ }
+
+ foreach ($json_payload as $advisory_data) {
+ try {
+ $sa = SecurityAdvisory::createFromArray($advisory_data);
+ }
+ catch (\UnexpectedValueException $unexpected_value_exception) {
+ // Ignore items in the feed that are in an invalid format. Although
+ // this is highly unlikely we should still display the items that are
+ // in the correct format.
+ watchdog_exception('system', $unexpected_value_exception, 'Invalid security advisory format: ' . Json::encode($advisory_data));
+ continue;
+ }
+
+ if ($this->isApplicable($sa)) {
+ $advisories[] = $sa;
+ }
+ }
+ return $advisories;
+ }
+
+ /**
+ * Deletes the stored JSON feed response, if any.
+ */
+ public function deleteStoredResponse(): void {
+ $this->keyValueExpirable->delete(self::ADVISORIES_JSON_EXPIRABLE_KEY);
+ }
+
+ /**
+ * Determines if an advisory matches the existing version of a project.
+ *
+ * @param \Drupal\system\SecurityAdvisories\SecurityAdvisory $sa
+ * The security advisory.
+ *
+ * @return bool
+ * TRUE if the security advisory matches the existing version of the
+ * project, or FALSE otherwise.
+ */
+ protected function matchesExistingVersion(SecurityAdvisory $sa): bool {
+ if ($existing_version = $this->getProjectExistingVersion($sa)) {
+ $existing_project_version = ExtensionVersion::createFromVersionString($existing_version);
+ $insecure_versions = $sa->getInsecureVersions();
+ // If a site codebase has a development version of any project, including
+ // core, we cannot be certain if their development build has the security
+ // vulnerabilities that make any of the versions in $insecure_versions
+ // insecure. Therefore, we should err on the side of assuming the site's
+ // code does have the security vulnerabilities and show the advisories.
+ // This will result in some sites seeing advisories that do not affect
+ // their versions, but it will make it less likely that sites with the
+ // security vulnerabilities will not see the advisories.
+ if ($existing_project_version->getVersionExtra() === 'dev') {
+ foreach ($insecure_versions as $insecure_version) {
+ try {
+ $insecure_project_version = ExtensionVersion::createFromVersionString($insecure_version);
+ }
+ catch (\UnexpectedValueException $exception) {
+ // An invalid version string should not halt the evaluation of valid
+ // versions in $insecure_versions. Version numbers that start with
+ // core prefix besides '8.x-' are allowed in $insecure_versions,
+ // but will never match and will throw an exception.
+ continue;
+ }
+ if ($existing_project_version->getMajorVersion() === $insecure_project_version->getMajorVersion()) {
+ if ($existing_project_version->getMinorVersion() === NULL) {
+ // If the dev version doesn't specify a minor version, matching on
+ // the major version alone is considered a match.
+ return TRUE;
+ }
+ if ($existing_project_version->getMinorVersion() === $insecure_project_version->getMinorVersion()) {
+ // If the dev version specifies a minor version, then the insecure
+ // version must match on the minor version.
+ return TRUE;
+ }
+ }
+ }
+ }
+ else {
+ // If the existing version is not a dev version, then it must match an
+ // insecure version exactly.
+ return in_array($existing_version, $insecure_versions, TRUE);
+ }
+ }
+ return FALSE;
+ }
+
+ /**
+ * Gets the information for an extension affected by the security advisory.
+ *
+ * @param \Drupal\system\SecurityAdvisories\SecurityAdvisory $sa
+ * The security advisory.
+ *
+ * @return mixed[]|null
+ * The information as set in the info.yml file and then processed by the
+ * corresponding extension list for the first extension found that matches
+ * the project name of the security advisory. If no matching extension is
+ * found NULL is returned.
+ */
+ protected function getMatchingExtensionInfo(SecurityAdvisory $sa): ?array {
+ if (!isset($this->extensionLists[$sa->getProjectType()])) {
+ return NULL;
+ }
+ $project_info = new ProjectInfo();
+ // The project name on the security advisory will not always match the
+ // machine name for the extension, so we need to search through all
+ // extensions of the expected type to find the matching project.
+ foreach ($this->extensionLists[$sa->getProjectType()]->getList() as $extension) {
+ if ($project_info->getProjectName($extension) === $sa->getProject()) {
+ return $extension->info;
+ }
+ }
+ return NULL;
+ }
+
+ /**
+ * Gets the existing project version.
+ *
+ * @param \Drupal\system\SecurityAdvisories\SecurityAdvisory $sa
+ * The security advisory.
+ *
+ * @return string|null
+ * The project version, or NULL if the project does not exist on
+ * the site.
+ */
+ protected function getProjectExistingVersion(SecurityAdvisory $sa): ?string {
+ if ($sa->isCoreAdvisory()) {
+ return \Drupal::VERSION;
+ }
+ $extension_info = $this->getMatchingExtensionInfo($sa);
+ return $extension_info['version'] ?? NULL;
+ }
+
+ /**
+ * Determines if a security advisory is applicable for the current site.
+ *
+ * @param \Drupal\system\SecurityAdvisories\SecurityAdvisory $sa
+ * The security advisory.
+ *
+ * @return bool
+ * TRUE if the advisory is applicable for the current site, or FALSE
+ * otherwise.
+ */
+ protected function isApplicable(SecurityAdvisory $sa): bool {
+ // Only projects that are in the site's codebase can be applicable. Core
+ // will always be in the codebase, and other projects are in the codebase if
+ // ::getProjectInfo() finds a matching extension for the project name.
+ if ($sa->isCoreAdvisory() || $this->getMatchingExtensionInfo($sa)) {
+ // Public service announcements are always applicable because they are not
+ // dependent on the version of the project that is currently present on
+ // the site. Other advisories are only applicable if they match the
+ // existing version.
+ return $sa->isPsa() || $this->matchesExistingVersion($sa);
+ }
+ return FALSE;
+ }
+
+ /**
+ * Makes an HTTPS GET request, with a possible HTTP fallback.
+ *
+ * This method will fall back to HTTP if the HTTPS request fails and the site
+ * setting 'update_fetch_with_http_fallback' is set to TRUE.
+ *
+ * @param int $timeout
+ * The timeout in seconds for the request.
+ *
+ * @return string
+ * The response.
+ */
+ protected function doRequest(int $timeout): string {
+ $options = [RequestOptions::TIMEOUT => $timeout];
+ if (!$this->withHttpFallback) {
+ // If not using an HTTP fallback just use HTTPS and do not catch any
+ // exceptions.
+ $response = $this->httpClient->get('https://updates.drupal.org/psa.json', $options);
+ }
+ else {
+ try {
+ $response = $this->httpClient->get('https://updates.drupal.org/psa.json', $options);
+ }
+ catch (TransferException $exception) {
+ watchdog_exception('system', $exception);
+ $response = $this->httpClient->get('http://updates.drupal.org/psa.json', $options);
+ }
+ }
+ return (string) $response->getBody();
+ }
+
+}
diff --git a/core/modules/system/src/SecurityAdvisories/SecurityAdvisory.php b/core/modules/system/src/SecurityAdvisories/SecurityAdvisory.php
new file mode 100644
index 0000000000000000000000000000000000000000..4ff3768c1ce419ddaa0de5b830370a772fb13e7f
--- /dev/null
+++ b/core/modules/system/src/SecurityAdvisories/SecurityAdvisory.php
@@ -0,0 +1,219 @@
+<?php
+
+namespace Drupal\system\SecurityAdvisories;
+
+use Symfony\Component\Validator\Constraints\Choice;
+use Symfony\Component\Validator\Constraints\Collection;
+use Symfony\Component\Validator\Constraints\NotBlank;
+use Symfony\Component\Validator\Constraints\Type;
+use Symfony\Component\Validator\Validation;
+
+/**
+ * Provides a security advisory value object.
+ *
+ * These come from the security advisory feed on Drupal.org.
+ *
+ * @internal
+ *
+ * @see https://www.drupal.org/docs/updating-drupal/responding-to-critical-security-update-advisories#s-drupalorg-json-advisories-feed
+ */
+final class SecurityAdvisory {
+
+ /**
+ * The title of the advisory.
+ *
+ * @var string
+ */
+ protected $title;
+
+ /**
+ * The project name for the advisory.
+ *
+ * @var string
+ */
+ protected $project;
+
+ /**
+ * The project type for the advisory.
+ *
+ * @var string
+ */
+ protected $type;
+
+ /**
+ * Whether this advisory is a PSA instead of another type of advisory.
+ *
+ * @var bool
+ */
+ protected $isPsa;
+
+ /**
+ * The currently insecure versions of the project.
+ *
+ * @var string[]
+ */
+ protected $insecureVersions;
+
+ /**
+ * The URL to the advisory.
+ *
+ * @var string
+ */
+ protected $url;
+
+ /**
+ * Constructs a SecurityAdvisories object.
+ *
+ * @param string $title
+ * The title of the advisory.
+ * @param string $project
+ * The project name.
+ * @param string $type
+ * The project type.
+ * @param bool $is_psa
+ * Whether this advisory is a public service announcement.
+ * @param string $url
+ * The URL to the advisory.
+ * @param string[] $insecure_versions
+ * The versions of the project that are currently insecure. For public
+ * service announcements this list does not include versions that will be
+ * marked as insecure when the new security release is published.
+ */
+ private function __construct(string $title, string $project, string $type, bool $is_psa, string $url, array $insecure_versions) {
+ $this->title = $title;
+ $this->project = $project;
+ $this->type = $type;
+ $this->isPsa = $is_psa;
+ $this->url = $url;
+ $this->insecureVersions = $insecure_versions;
+ }
+
+ /**
+ * Creates a SecurityAdvisories instance from an array.
+ *
+ * @param mixed[] $data
+ * The security advisory data as returned from the JSON feed.
+ *
+ * @return self
+ * A new SecurityAdvisories object.
+ */
+ public static function createFromArray(array $data): self {
+ static::validateAdvisoryData($data);
+ return new static(
+ $data['title'],
+ $data['project'],
+ $data['type'],
+ $data['is_psa'],
+ $data['link'],
+ $data['insecure']
+ );
+ }
+
+ /**
+ * Validates the security advisory data.
+ *
+ * @param mixed[] $data
+ * The advisory data.
+ *
+ * @throws \UnexpectedValueException
+ * Thrown if security advisory data is not valid.
+ */
+ protected static function validateAdvisoryData(array $data): void {
+ $not_blank_constraints = [
+ new Type(['type' => 'string']),
+ new NotBlank(),
+ ];
+ $collection_constraint = new Collection([
+ 'fields' => [
+ 'title' => $not_blank_constraints,
+ 'project' => $not_blank_constraints,
+ 'type' => $not_blank_constraints,
+ 'link' => $not_blank_constraints,
+ 'is_psa' => new Choice(['choices' => [1, '1', 0, '0', TRUE, FALSE]]),
+ 'insecure' => new Type(['type' => 'array']),
+ ],
+ // Allow unknown fields, in the case that new fields are added to JSON
+ // feed validation should still pass.
+ 'allowExtraFields' => TRUE,
+ ]);
+ $violations = Validation::createValidator()->validate($data, $collection_constraint);
+ if ($violations->count()) {
+ foreach ($violations as $violation) {
+ $violation_messages[] = "Field " . $violation->getPropertyPath() . ": " . $violation->getMessage();
+ }
+ throw new \UnexpectedValueException('Malformed security advisory: ' . implode(",\n", $violation_messages));
+ }
+ }
+
+ /**
+ * Gets the title.
+ *
+ * @return string
+ * The project title.
+ */
+ public function getTitle(): string {
+ return $this->title;
+ }
+
+ /**
+ * Gets the project associated with the advisory.
+ *
+ * @return string
+ * The project name.
+ */
+ public function getProject(): string {
+ return $this->project;
+ }
+
+ /**
+ * Gets the type of project associated with the advisory.
+ *
+ * @return string
+ * The project type.
+ */
+ public function getProjectType(): string {
+ return $this->type;
+ }
+
+ /**
+ * Whether the security advisory is for core or not.
+ *
+ * @return bool
+ * TRUE if the advisory is for core, or FALSE otherwise.
+ */
+ public function isCoreAdvisory(): bool {
+ return $this->getProjectType() === 'core';
+ }
+
+ /**
+ * Whether the security advisory is a public service announcement or not.
+ *
+ * @return bool
+ * TRUE if the advisory is a public service announcement, or FALSE
+ * otherwise.
+ */
+ public function isPsa(): bool {
+ return $this->isPsa;
+ }
+
+ /**
+ * Gets the currently insecure versions of the project.
+ *
+ * @return string[]
+ * The versions of the project that are currently insecure.
+ */
+ public function getInsecureVersions(): array {
+ return $this->insecureVersions;
+ }
+
+ /**
+ * Gets the URL to the security advisory.
+ *
+ * @return string
+ * The URL to the security advisory.
+ */
+ public function getUrl(): string {
+ return $this->url;
+ }
+
+}
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 0c0e6539143d96c15eef658c9f626de7a5578e36..57119b8691c59d159d81656697ce7eb3e72717c0 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -16,12 +16,14 @@
use Drupal\Core\Entity\Sql\SqlContentEntityStorage;
use Drupal\Core\Entity\Sql\SqlContentEntityStorageSchema;
use Drupal\Core\File\FileSystemInterface;
+use Drupal\Core\Link;
use Drupal\Core\Site\Settings;
use Drupal\Core\StreamWrapper\PrivateStream;
use Drupal\Core\StreamWrapper\PublicStream;
use Drupal\Core\StringTranslation\PluralTranslatableMarkup;
use Drupal\Core\StringTranslation\TranslatableMarkup;
use Drupal\Core\Url;
+use GuzzleHttp\Exception\TransferException;
use Symfony\Component\HttpFoundation\Request;
/**
@@ -91,6 +93,7 @@ function system_requirements($phase) {
'severity' => REQUIREMENT_WARNING,
];
}
+ _system_advisories_requirements($requirements);
}
// Web server information.
@@ -1450,3 +1453,54 @@ function system_update_8901() {
}
}
}
+
+/**
+ * Display requirements from security advisories.
+ *
+ * @param array[] $requirements
+ * The requirements array as specified in hook_requirements().
+ */
+function _system_advisories_requirements(array &$requirements): void {
+ if (!\Drupal::config('system.advisories')->get('enabled')) {
+ return;
+ }
+
+ /** @var \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher $fetcher */
+ $fetcher = \Drupal::service('system.sa_fetcher');
+ try {
+ $advisories = $fetcher->getSecurityAdvisories(TRUE, 5);
+ }
+ catch (TransferException $exception) {
+ $requirements['system_advisories']['title'] = t('Critical security announcements');
+ $requirements['system_advisories']['severity'] = REQUIREMENT_WARNING;
+ $requirements['system_advisories']['description'] = ['#theme' => 'system_security_advisories_fetch_error_message'];
+ watchdog_exception('system', $exception, 'Failed to retrieve security advisory data.');
+ return;
+ }
+
+ if (!empty($advisories)) {
+ $advisory_links = [];
+ $severity = REQUIREMENT_WARNING;
+ foreach ($advisories as $advisory) {
+ if (!$advisory->isPsa()) {
+ $severity = REQUIREMENT_ERROR;
+ }
+ $advisory_links[] = new Link($advisory->getTitle(), Url::fromUri($advisory->getUrl()));
+ }
+ $requirements['system_advisories']['title'] = t('Critical security announcements');
+ $requirements['system_advisories']['severity'] = $severity;
+ $requirements['system_advisories']['description'] = [
+ 'list' => [
+ '#theme' => 'item_list',
+ '#items' => $advisory_links,
+ ],
+ ];
+ if (\Drupal::moduleHandler()->moduleExists('help')) {
+ $requirements['system_advisories']['description']['help_link'] = Link::createFromRoute(
+ 'What are critical security announcements?',
+ 'help.page', ['name' => 'system'],
+ ['fragment' => 'security-advisories']
+ )->toRenderable();
+ }
+ }
+}
diff --git a/core/modules/system/system.module b/core/modules/system/system.module
index 40734f7e3529a8f50e0ab3c2e38c5c092faa7140..968f7cf459bfc846043029f1603b9a7e864d42ef 100644
--- a/core/modules/system/system.module
+++ b/core/modules/system/system.module
@@ -20,6 +20,7 @@
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\KeyValueStore\KeyValueDatabaseExpirableFactory;
use Drupal\Core\Language\LanguageInterface;
+use Drupal\Core\Link;
use Drupal\Core\Menu\MenuTreeParameters;
use Drupal\Core\PageCache\RequestPolicyInterface;
use Drupal\Core\Queue\QueueGarbageCollectionInterface;
@@ -89,6 +90,11 @@ function system_help($route_name, RouteMatchInterface $route_match) {
$output .= '<dd>' . t('Your site has several file directories, which are used to store and process uploaded and generated files. The <em>public</em> file directory, which is configured in your settings.php file, is the default place for storing uploaded files. Links to files in this directory contain the direct file URL, so when the files are requested, the web server will send them directly without invoking your site code. This means that the files can be downloaded by anyone with the file URL, so requests are not access-controlled but they are efficient. The <em>private</em> file directory, also configured in your settings.php file and ideally located outside the site web root, is access controlled. Links to files in this directory are not direct, so requests to these files are mediated by your site code. This means that your site can check file access permission for each file before deciding to fulfill the request, so the requests are more secure, but less efficient. You should only use the private storage for files that need access control, not for files like your site logo and background images used on every page. The <em>temporary</em> file directory is used internally by your site code for various operations, and is configured on the <a href=":file-system">File system settings</a> page. You can also see the configured public and private file directories on this page, and choose whether public or private should be the default for uploaded files.', [':file-system' => Url::fromRoute('system.file_system_settings')->toString()]) . '</dd>';
$output .= '<dt>' . t('Configuring the image toolkit') . '</dt>';
$output .= '<dd>' . t('On the <a href=":toolkit">Image toolkit page</a>, you can select and configure the PHP toolkit used to manipulate images. Depending on which distribution or installation profile you choose when you install your site, the GD2 toolkit and possibly others are included; other toolkits may be provided by contributed modules.', [':toolkit' => Url::fromRoute('system.image_toolkit_settings')->toString()]) . '</dd>';
+ if (\Drupal::currentUser()->hasPermission('administer site configuration')) {
+ $output .= '<dt id="security-advisories">' . t('Critical security advisories') . '</dt>';
+ $output .= '<dd>' . t('The System module displays highly critical and time-sensitive security announcements to site administrators. Some security announcements will be displayed until a critical security update is installed. Announcements that are not associated with a specific release will appear for a fixed period of time. <a href=":handbook">More information on critical security advisories</a>.', [':handbook' => 'https://www.drupal.org/docs/updating-drupal/responding-to-critical-security-update-advisories']) . '</dd>';
+ $output .= '<dd>' . t('Only the most highly critical security announcements will be shown. <a href=":advisories-list">View all security announcements</a>.', [':advisories-list' => 'https://www.drupal.org/security']) . '</dd>';
+ }
$output .= '</dl>';
return $output;
@@ -242,6 +248,10 @@ function system_theme() {
'off_canvas_page_wrapper' => [
'variables' => ['children' => NULL],
],
+ 'system_security_advisories_fetch_error_message' => [
+ 'file' => 'system.theme.inc',
+ 'variables' => ['error_message' => []],
+ ],
]);
}
@@ -1058,6 +1068,14 @@ function system_cron() {
// Ensure that all of Drupal's standard directories (e.g., the public files
// directory and config directory) have appropriate .htaccess files.
\Drupal::service('file.htaccess_writer')->ensure();
+
+ if (\Drupal::config('system.advisories')->get('enabled')) {
+ // Fetch the security advisories so that they will be pre-fetched during
+ // _system_advisories_requirements() and system_page_top().
+ /** @var \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher $fetcher */
+ $fetcher = \Drupal::service('system.sa_fetcher');
+ $fetcher->getSecurityAdvisories();
+ }
}
/**
@@ -1304,3 +1322,44 @@ function system_theme_registry_alter(array &$theme_registry) {
claro_system_module_invoked_theme_registry_alter($theme_registry);
}
}
+
+/**
+ * Implements hook_page_top().
+ */
+function system_page_top() {
+ /** @var \Drupal\Core\Routing\AdminContext $admin_context */
+ $admin_context = \Drupal::service('router.admin_context');
+ if ($admin_context->isAdminRoute() && \Drupal::currentUser()->hasPermission('administer site configuration')) {
+ $route_match = \Drupal::routeMatch();
+ $route_name = $route_match->getRouteName();
+ if ($route_name !== 'system.status' && \Drupal::config('system.advisories')->get('enabled')) {
+ /** @var \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher $fetcher */
+ $fetcher = \Drupal::service('system.sa_fetcher');
+ $advisories = $fetcher->getSecurityAdvisories(FALSE);
+ if ($advisories) {
+ $messenger = \Drupal::messenger();
+ $display_as_errors = FALSE;
+ $links = [];
+ foreach ($advisories as $advisory) {
+ // To ensure that all the advisory messages are grouped together on
+ // the page, they must all be warnings or all be errors. If any
+ // advisories are not public service announcements, then display all
+ // the messages as errors because security advisories already tied to
+ // a specific release are immediately actionable by upgrading to a
+ // secure version of a project.
+ $display_as_errors = $display_as_errors ? TRUE : !$advisory->isPsa();
+ $links[] = new Link($advisory->getTitle(), Url::fromUri($advisory->getUrl()));
+ }
+ foreach ($links as $link) {
+ $display_as_errors ? $messenger->addError($link) : $messenger->addWarning($link);
+ }
+ if (\Drupal::moduleHandler()->moduleExists('help')) {
+ $help_link = t('(<a href=":system-help">What are critical security announcements?</a>)', [
+ ':system-help' => Url::fromRoute('help.page', ['name' => 'system'], ['fragment' => 'security-advisories'])->toString(),
+ ]);
+ $display_as_errors ? $messenger->addError($help_link) : $messenger->addWarning($help_link);
+ }
+ }
+ }
+ }
+}
diff --git a/core/modules/system/system.post_update.php b/core/modules/system/system.post_update.php
index 6d09e99c0b0d1cea647d84e36b89308f893ac7c6..bd445fd83ed7575df111743d2a8bf650b0658ddc 100644
--- a/core/modules/system/system.post_update.php
+++ b/core/modules/system/system.post_update.php
@@ -189,3 +189,11 @@ function system_post_update_remove_key_value_expire_all_index() {
$schema->dropIndex('key_value_expire', 'all');
}
}
+
+/**
+ * Add new security advisory retrieval settings.
+ */
+function system_post_update_service_advisory_settings() {
+ $config = \Drupal::configFactory()->getEditable('system.advisories');
+ $config->set('interval_hours', 6)->set('enabled', TRUE)->save();
+}
diff --git a/core/modules/system/system.services.yml b/core/modules/system/system.services.yml
index c0e4d605eab2b3d9d9214c435c3085c29d0847bb..31abbfeac1ec54b9b3c7b8bcf93c3131146e0140 100644
--- a/core/modules/system/system.services.yml
+++ b/core/modules/system/system.services.yml
@@ -53,3 +53,14 @@ services:
arguments: ['@config.factory']
tags:
- { name: event_subscriber }
+ logger.channel.system:
+ parent: logger.channel_base
+ arguments: ['system']
+ system.sa_fetcher:
+ class: Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
+ arguments: ['@config.factory', '@keyvalue.expirable', '@http_client', '@extension.list.module', '@extension.list.theme', '@extension.list.profile', '@logger.channel.system', '@settings']
+ system.advisories_config_subscriber:
+ class: Drupal\system\EventSubscriber\AdvisoriesConfigSubscriber
+ arguments: ['@system.sa_fetcher']
+ tags:
+ - { name: event_subscriber }
diff --git a/core/modules/system/system.theme.inc b/core/modules/system/system.theme.inc
new file mode 100644
index 0000000000000000000000000000000000000000..fc88b4155642e4987fa4b02596083c18705bc68b
--- /dev/null
+++ b/core/modules/system/system.theme.inc
@@ -0,0 +1,38 @@
+<?php
+
+/**
+ * @file
+ * Preprocess functions for the System module.
+ */
+
+use Drupal\Core\Url;
+
+/**
+ * Prepares variables for security advisories fetch error message templates.
+ *
+ * Default template: system-security-advisories-fetch-error-message.html.twig.
+ *
+ * @param array $variables
+ * An associative array of template variables.
+ */
+function template_preprocess_system_security_advisories_fetch_error_message(array &$variables): void {
+ $variables['error_message'] = [
+ 'message' => [
+ '#markup' => t('Failed to fetch security advisory data:'),
+ ],
+ 'items' => [
+ '#theme' => 'item_list',
+ '#items' => [
+ 'documentation_link' => t('See <a href=":url">Troubleshooting the advisory feed</a> for possible causes and resolutions.', [':url' => 'https://www.drupal.org/docs/updating-drupal/responding-to-critical-security-update-advisories#s-troubleshooting-the-advisory-feed']),
+ ],
+ ],
+ ];
+ if (\Drupal::moduleHandler()->moduleExists('dblog') && \Drupal::currentUser()->hasPermission('access site reports')) {
+ $options = ['query' => ['type' => ['system']]];
+ $dblog_url = Url::fromRoute('dblog.overview', [], $options);
+ $variables['error_message']['items']['#items']['dblog'] = t('Check <a href=":url">your local system logs</a> for additional error messages.', [':url' => $dblog_url->toString()]);
+ }
+ else {
+ $variables['error_message']['items']['#items']['logs'] = t('Check your local system logs for additional error messages.');
+ }
+}
diff --git a/core/modules/system/templates/system-security-advisories-fetch-error-message.html.twig b/core/modules/system/templates/system-security-advisories-fetch-error-message.html.twig
new file mode 100644
index 0000000000000000000000000000000000000000..5b901b8e147fd6361093f389a86f26581dc2c70b
--- /dev/null
+++ b/core/modules/system/templates/system-security-advisories-fetch-error-message.html.twig
@@ -0,0 +1,16 @@
+{#
+/**
+ * @file
+ * Default theme implementation for the message when fetching security advisories fails.
+ *
+ * This error message is displayed on the status report page.
+ *
+ * Available variables:
+ * - error_message: A render array containing the appropriate error message.
+ *
+ * @see template_preprocess_system_security_advisories_fetch_error_message()
+ *
+ * @ingroup themeable
+ */
+#}
+{{ error_message }}
diff --git a/core/modules/system/tests/fixtures/psa_feed/invalid.json b/core/modules/system/tests/fixtures/psa_feed/invalid.json
new file mode 100644
index 0000000000000000000000000000000000000000..ab53a5c4503ff5f7315a0a06143be9bd2bcf56e8
--- /dev/null
+++ b/core/modules/system/tests/fixtures/psa_feed/invalid.json
@@ -0,0 +1 @@
+[{"title":"You can't parse this! Oh no! 🔥🙀ðŸ¶
diff --git a/core/modules/system/tests/fixtures/psa_feed/valid-mixed.json b/core/modules/system/tests/fixtures/psa_feed/valid-mixed.json
new file mode 100644
index 0000000000000000000000000000000000000000..43bc9926b0045159082bb5f52c7e4928f891bab8
--- /dev/null
+++ b/core/modules/system/tests/fixtures/psa_feed/valid-mixed.json
@@ -0,0 +1,80 @@
+[
+ {
+ "title":"Critical Release - SA-2019-02-19",
+ "link":"https:\/\/www.drupal.org\/sa-2019-02-19",
+ "project":"drupal",
+ "type":"core",
+ "insecure":[
+ "7.65",
+ "8.5.14",
+ "8.6.13",
+ "8.7.0-alpha2",
+ "8.7.0-beta1",
+ "8.7.0-beta2",
+ "8.6.14",
+ "8.6.15",
+ "7.66",
+ "8.7.0",
+ "[CORE_VERSION]"
+ ],
+ "is_psa":"0",
+ "pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"
+ },
+ {
+ "title":"Critical Release - PSA-Really Old",
+ "link":"https:\/\/www.drupal.org\/psa",
+ "project":"drupal",
+ "type":"core",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Feb 2017 14:11:01 +0000"
+ },
+ {
+ "title":"Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_project",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1"
+
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Generic Module1 Test - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_test",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module2_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Missing Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"missing_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+ "7.x-1.7",
+ "8.x-1.4"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ }
+]
diff --git a/core/modules/system/tests/fixtures/psa_feed/valid-non-psa-only.json b/core/modules/system/tests/fixtures/psa_feed/valid-non-psa-only.json
new file mode 100644
index 0000000000000000000000000000000000000000..e8c26482109464917a8492225adf72407f4b89ca
--- /dev/null
+++ b/core/modules/system/tests/fixtures/psa_feed/valid-non-psa-only.json
@@ -0,0 +1,58 @@
+[
+ {
+ "title":"Critical Release - SA-2019-02-19",
+ "link":"https:\/\/www.drupal.org\/sa-2019-02-19",
+ "project":"drupal",
+ "type":"core",
+ "insecure":[
+ "7.65",
+ "8.5.14",
+ "8.6.13",
+ "8.7.0-alpha2",
+ "8.7.0-beta1",
+ "8.7.0-beta2",
+ "8.6.14",
+ "8.6.15",
+ "7.66",
+ "8.7.0",
+ "[CORE_VERSION]"
+ ],
+ "is_psa":"0",
+ "pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"
+ },
+ {
+ "title":"Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_project",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1"
+
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Generic Module1 Test - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_test",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Missing Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"missing_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+ "7.x-1.7",
+ "8.x-1.4"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ }
+]
diff --git a/core/modules/system/tests/fixtures/psa_feed/valid-psa-only.json b/core/modules/system/tests/fixtures/psa_feed/valid-psa-only.json
new file mode 100644
index 0000000000000000000000000000000000000000..3b1dc2f89807fecfb85d9c1d1508c71bbef6f46a
--- /dev/null
+++ b/core/modules/system/tests/fixtures/psa_feed/valid-psa-only.json
@@ -0,0 +1,47 @@
+[
+ {
+ "title":"Critical Release - PSA-Really Old",
+ "link":"https:\/\/www.drupal.org\/psa",
+ "project":"drupal",
+ "type":"core",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Feb 2017 14:11:01 +0000"
+ },
+ {
+ "title":"Generic Module1 Test - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_test",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module2_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Missing Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"missing_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+ "7.x-1.7",
+ "8.x-1.4"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ }
+]
diff --git a/core/modules/system/tests/fixtures/psa_feed/valid_plus1.json b/core/modules/system/tests/fixtures/psa_feed/valid_plus1.json
new file mode 100644
index 0000000000000000000000000000000000000000..3675be07fe910bf5770c268db6db5db1c6dcd1dd
--- /dev/null
+++ b/core/modules/system/tests/fixtures/psa_feed/valid_plus1.json
@@ -0,0 +1,92 @@
+[
+ {
+ "title":"Critical Release - SA-2019-02-19",
+ "link":"https:\/\/www.drupal.org\/sa-2019-02-19",
+ "project":"drupal",
+ "type":"core",
+ "insecure":[
+ "7.65",
+ "8.5.14",
+ "8.6.13",
+ "8.7.0-alpha2",
+ "8.7.0-beta1",
+ "8.7.0-beta2",
+ "8.6.14",
+ "8.6.15",
+ "7.66",
+ "8.7.0",
+ "[CORE_VERSION]"
+ ],
+ "is_psa":"0",
+ "pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"
+ },
+ {
+ "title":"Critical Release - PSA-Really Old",
+ "link":"https:\/\/www.drupal.org\/psa",
+ "project":"drupal",
+ "type":"core",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Feb 2017 14:11:01 +0000"
+ },
+ {
+ "title":"Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_project",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1",
+ "8.x-8.7.0"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Generic Module1 Test - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module1_test",
+ "type":"module",
+ "is_psa":"0",
+ "insecure":[
+ "8.x-1.1",
+ "8.x-8.7.0"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"generic_module2_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Missing Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02",
+ "link":"https:\/\/www.drupal.org\/SA-CONTRIB-2019-02-02",
+ "project":"missing_project",
+ "type":"module",
+ "is_psa":"1",
+ "insecure":[
+ "7.x-1.7",
+ "8.x-1.4"
+ ],
+ "pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"
+ },
+ {
+ "title":"Critical Release - PSA because 2020",
+ "link":"https:\/\/www.drupal.org\/psa",
+ "project":"drupal",
+ "type":"core",
+ "is_psa":"1",
+ "insecure":[
+
+ ],
+ "pubDate":"Tue, 19 Feb 2020 14:11:01 +0000"
+ }
+]
diff --git a/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.info.yml b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.info.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e25080ca928749dae0b461dc3af087f5cc831a4a
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.info.yml
@@ -0,0 +1,4 @@
+name: 'Advisory feed test'
+type: module
+description: 'Support module for advisory feed testing.'
+package: Testing
diff --git a/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.module b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.module
new file mode 100644
index 0000000000000000000000000000000000000000..abdd8c14e9a449537762ba06328c07088e2a3a13
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.module
@@ -0,0 +1,35 @@
+<?php
+
+/**
+ * @file
+ * Module for testing the display of security advisories.
+ */
+
+use Drupal\Core\Extension\Extension;
+
+/**
+ * Implements hook_system_info_alter().
+ */
+function advisory_feed_test_system_info_alter(&$info, Extension $file) {
+ // Alter the 'generic_module1_test' module to use the 'generic_module1_project'
+ // project name. This ensures that for an extension where the 'name' and
+ // the 'project' properties do not match, 'project' is used for matching
+ // 'project' in the JSON feed.
+ $system_info = [
+ 'generic_module1_test' => [
+ 'project' => 'generic_module1_project',
+ 'version' => '8.x-1.1',
+ 'hidden' => FALSE,
+ ],
+ 'generic_module2_test' => [
+ 'project' => 'generic_module2_project',
+ 'version' => '8.x-1.1',
+ 'hidden' => FALSE,
+ ],
+ ];
+ if (!empty($system_info[$file->getName()])) {
+ foreach ($system_info[$file->getName()] as $key => $value) {
+ $info[$key] = $value;
+ }
+ }
+}
diff --git a/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.routing.yml b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.routing.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9211559254154a9230bc08cde442182dce1635b7
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.routing.yml
@@ -0,0 +1,7 @@
+advisory_feed_test.json_test:
+ path: '/advisory-feed-json/{json_name}'
+ defaults:
+ _title: 'Update test'
+ _controller: '\Drupal\advisory_feed_test\Controller\AdvisoryTestController::getPsaJson'
+ requirements:
+ _access: 'TRUE'
diff --git a/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.services.yml b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.services.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3e99698a4c9e02bef9fbd14591dbdf1209cf1fa4
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/advisory_feed_test.services.yml
@@ -0,0 +1,11 @@
+services:
+ http_client.advisory_feed_test:
+ public: false
+ class: Drupal\advisory_feed_test\AdvisoriesTestHttpClient
+ decorates: http_client
+ arguments: ['@http_client.advisory_feed_test.inner']
+ logger.advisory_feed_test:
+ public: false
+ class: Drupal\advisory_feed_test\TestSystemLoggerChannel
+ decorates: logger.channel.system
+ arguments: ['@logger.advisory_feed_test.inner', '@state']
diff --git a/core/modules/system/tests/modules/advisory_feed_test/src/AdvisoriesTestHttpClient.php b/core/modules/system/tests/modules/advisory_feed_test/src/AdvisoriesTestHttpClient.php
new file mode 100644
index 0000000000000000000000000000000000000000..1f58e9a0a5f8d9681f65808530ccc2c3f7c5cd70
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/src/AdvisoriesTestHttpClient.php
@@ -0,0 +1,59 @@
+<?php
+
+namespace Drupal\advisory_feed_test;
+
+use GuzzleHttp\Client;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Provides a decorator service for the 'http_client' service for testing.
+ */
+class AdvisoriesTestHttpClient extends Client {
+
+ /**
+ * The decorated http_client service.
+ *
+ * @var \GuzzleHttp\Client
+ */
+ protected $innerClient;
+
+ /**
+ * Constructs an AdvisoriesTestHttpClient object.
+ *
+ * @param \GuzzleHttp\Client $client
+ * The decorated http_client service.
+ */
+ public function __construct(Client $client) {
+ $this->innerClient = $client;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get($uri, array $options = []): ResponseInterface {
+ $test_end_point = \Drupal::state()->get('advisories_test_endpoint');
+ if ($test_end_point && strpos($uri, '://updates.drupal.org/psa.json') !== FALSE) {
+ // Only override $uri if it matches the advisories JSON feed to avoid
+ // changing any other uses of the 'http_client' service during tests with
+ // this module installed.
+ $uri = $test_end_point;
+ }
+ return $this->innerClient->get($uri, $options);
+ }
+
+ /**
+ * Sets the test endpoint for the advisories JSON feed.
+ *
+ * @param string $test_endpoint
+ * The test endpoint.
+ * @param bool $delete_stored_response
+ * Whether to delete stored feed response.
+ */
+ public static function setTestEndpoint(string $test_endpoint, bool $delete_stored_response = FALSE): void {
+ \Drupal::state()->set('advisories_test_endpoint', $test_endpoint);
+ if ($delete_stored_response) {
+ \Drupal::service('system.sa_fetcher')->deleteStoredResponse();
+ }
+ }
+
+}
diff --git a/core/modules/system/tests/modules/advisory_feed_test/src/Controller/AdvisoryTestController.php b/core/modules/system/tests/modules/advisory_feed_test/src/Controller/AdvisoryTestController.php
new file mode 100644
index 0000000000000000000000000000000000000000..8ea1dc5e8607446cfe3d75b4f0e05b9da73e94f1
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/src/Controller/AdvisoryTestController.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace Drupal\advisory_feed_test\Controller;
+
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Defines a controller to return JSON for security advisory tests.
+ */
+class AdvisoryTestController {
+
+ /**
+ * Reads a JSON file and returns the contents as a Response.
+ *
+ * This method will replace the string '[CORE_VERSION]' with the current core
+ * version to allow testing core version matches.
+ *
+ * @param string $json_name
+ * The name of the JSON file without the file extension.
+ *
+ * @return \Symfony\Component\HttpFoundation\JsonResponse|\Symfony\Component\HttpFoundation\Response
+ * If a fixture file with the name $json_name + '.json' is found a
+ * JsonResponse will be returned using the contents of the file, otherwise a
+ * Response will be returned with a 404 status code.
+ */
+ public function getPsaJson(string $json_name): Response {
+ $file = __DIR__ . "/../../../../fixtures/psa_feed/$json_name.json";
+ $headers = ['Content-Type' => 'application/json; charset=utf-8'];
+ if (!is_file($file)) {
+ // Return an empty response.
+ return new Response('', 404, $headers);
+ }
+ $contents = file_get_contents($file);
+ $contents = str_replace('[CORE_VERSION]', \Drupal::VERSION, $contents);
+ return new JsonResponse($contents, 200, $headers, TRUE);
+ }
+
+}
diff --git a/core/modules/system/tests/modules/advisory_feed_test/src/TestSystemLoggerChannel.php b/core/modules/system/tests/modules/advisory_feed_test/src/TestSystemLoggerChannel.php
new file mode 100644
index 0000000000000000000000000000000000000000..cd65282b53e9180348e17ccc64630e9dd51a0698
--- /dev/null
+++ b/core/modules/system/tests/modules/advisory_feed_test/src/TestSystemLoggerChannel.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Drupal\advisory_feed_test;
+
+use Drupal\Core\Logger\LoggerChannel;
+use Drupal\Core\Logger\LoggerChannelInterface;
+use Drupal\Core\State\StateInterface;
+use Psr\Log\LogLevel;
+
+/**
+ * Provides a decorator for the 'logger.channel.system' service for testing.
+ */
+final class TestSystemLoggerChannel extends LoggerChannel {
+
+ /**
+ * The decorated logger.channel.system service.
+ *
+ * @var \Drupal\Core\Logger\LoggerChannelInterface
+ */
+ protected $innerLogger;
+
+ /**
+ * The state service.
+ *
+ * @var \Drupal\Core\State\StateInterface
+ */
+ protected $state;
+
+ /**
+ * Constructs an AdvisoriesTestHttpClient object.
+ *
+ * @param \Drupal\Core\Logger\LoggerChannelInterface $inner_logger
+ * The decorated logger.channel.system service.
+ * @param \Drupal\Core\State\StateInterface $state
+ * The state service.
+ */
+ public function __construct(LoggerChannelInterface $inner_logger, StateInterface $state) {
+ $this->innerLogger = $inner_logger;
+ $this->state = $state;
+ }
+
+ /**
+ * {@inheritdoc}
+ *
+ * @see \Drupal\Tests\system\Functional\SecurityAdvisories\SecurityAdvisoriesTestTrait::assertServiceAdvisoryLoggedErrors()
+ */
+ public function log($level, $message, array $context = []): void {
+ if ($level === LogLevel::ERROR) {
+ $messages = $this->state->get('advisory_feed_test.error_messages', []);
+ $messages[] = $message;
+ $this->state->set('advisory_feed_test.error_messages', $messages);
+ }
+ $this->innerLogger->log($level, $message, $context);
+ }
+
+}
diff --git a/core/modules/system/tests/modules/generic_module1_test/generic_module1_test.info.yml b/core/modules/system/tests/modules/generic_module1_test/generic_module1_test.info.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7c689c5c9c8bd49ea544085fcc42b80aa838a232
--- /dev/null
+++ b/core/modules/system/tests/modules/generic_module1_test/generic_module1_test.info.yml
@@ -0,0 +1,4 @@
+name: 'Generic Module1 test'
+type: module
+description: 'A testing module with no special functionality. It just exists. Can we say anymore about ourselves? 🤯'
+package: Testing
diff --git a/core/modules/system/tests/modules/generic_module2_test/generic_module2_test.info.yml b/core/modules/system/tests/modules/generic_module2_test/generic_module2_test.info.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6f97fa5ebb1222e88cd368c521fdef57d1aa7f1e
--- /dev/null
+++ b/core/modules/system/tests/modules/generic_module2_test/generic_module2_test.info.yml
@@ -0,0 +1,4 @@
+name: 'Generic Module1 test'
+type: module
+description: 'A another testing module with no special functionality. It just exists. Can we say anymore about ourselves? 🤯'
+package: Testing
diff --git a/core/modules/system/tests/src/Functional/SecurityAdvisories/AdvisoriesUpdatePathTest.php b/core/modules/system/tests/src/Functional/SecurityAdvisories/AdvisoriesUpdatePathTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..b8843f848fc2f874a87aef6bd7921bfcdbc71486
--- /dev/null
+++ b/core/modules/system/tests/src/Functional/SecurityAdvisories/AdvisoriesUpdatePathTest.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace Drupal\Tests\system\Functional\SecurityAdvisories;
+
+use Drupal\FunctionalTests\Update\UpdatePathTestBase;
+
+/**
+ * Tests advisories settings update path.
+ *
+ * @group system
+ */
+class AdvisoriesUpdatePathTest extends UpdatePathTestBase {
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setDatabaseDumpFiles(): void {
+ $this->databaseDumpFiles = [
+ dirname(__DIR__, 3) . '/fixtures/update/drupal-8.8.0.filled.standard.php.gz',
+ ];
+ }
+
+ /**
+ * Tests advisories settings update path.
+ */
+ public function testUpdatePath(): void {
+ $this->assertTrue($this->config('system.advisories')->isNew());
+
+ $this->runUpdates();
+
+ $this->assertSame(6, $this->config('system.advisories')->get('interval_hours'));
+ $this->assertSame(TRUE, $this->config('system.advisories')->get('enabled'));
+ }
+
+}
diff --git a/core/modules/system/tests/src/Functional/SecurityAdvisories/SecurityAdvisoryTest.php b/core/modules/system/tests/src/Functional/SecurityAdvisories/SecurityAdvisoryTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..4d6cb3928cc65da369f1fc7ecbefd0f780ae7ffa
--- /dev/null
+++ b/core/modules/system/tests/src/Functional/SecurityAdvisories/SecurityAdvisoryTest.php
@@ -0,0 +1,292 @@
+<?php
+
+namespace Drupal\Tests\system\Functional\SecurityAdvisories;
+
+use Drupal\Core\Url;
+use Drupal\Tests\BrowserTestBase;
+use Drupal\Tests\Traits\Core\CronRunTrait;
+use Drupal\advisory_feed_test\AdvisoriesTestHttpClient;
+
+/**
+ * Tests of security advisories functionality.
+ *
+ * @group system
+ */
+class SecurityAdvisoryTest extends BrowserTestBase {
+
+ use CronRunTrait;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected $defaultTheme = 'stark';
+
+ /**
+ * {@inheritdoc}
+ */
+ protected static $modules = [
+ 'system',
+ 'generic_module1_test',
+ 'advisory_feed_test',
+ ];
+
+ /**
+ * A user with permission to administer site configuration and updates.
+ *
+ * @var \Drupal\user\UserInterface
+ */
+ protected $user;
+
+ /**
+ * A test PSA endpoint that will display both PSA and non-PSA advisories.
+ *
+ * @var string
+ */
+ protected $workingEndpointMixed;
+
+ /**
+ * A test PSA endpoint that will only display PSA advisories.
+ *
+ * @var string
+ */
+ protected $workingEndpointPsaOnly;
+
+ /**
+ * A test PSA endpoint that will only display non-PSA advisories.
+ *
+ * @var string
+ */
+ protected $workingEndpointNonPsaOnly;
+
+ /**
+ * A non-working test PSA endpoint.
+ *
+ * @var string
+ */
+ protected $nonWorkingEndpoint;
+
+ /**
+ * A test PSA endpoint that returns invalid JSON.
+ *
+ * @var string
+ */
+ protected $invalidJsonEndpoint;
+
+ /**
+ * The key/value store.
+ *
+ * @var \Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface
+ */
+ protected $tempStore;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void {
+ parent::setUp();
+ $this->user = $this->drupalCreateUser([
+ 'access administration pages',
+ 'administer site configuration',
+ 'administer software updates',
+ ]);
+ $this->drupalLogin($this->user);
+ $fixtures_path = $this->baseUrl . '/core/modules/system/tests/fixtures/psa_feed';
+ $this->workingEndpointMixed = $this->buildUrl('/advisory-feed-json/valid-mixed');
+ $this->workingEndpointPsaOnly = $this->buildUrl('/advisory-feed-json/valid-psa-only');
+ $this->workingEndpointNonPsaOnly = $this->buildUrl('/advisory-feed-json/valid-non-psa-only');
+ $this->nonWorkingEndpoint = $this->buildUrl('/advisory-feed-json/missing');
+ $this->invalidJsonEndpoint = "$fixtures_path/invalid.json";
+
+ $this->tempStore = $this->container->get('keyvalue.expirable')->get('system');
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function writeSettings(array $settings): void {
+ // Unset 'system.advisories' to allow testing enabling and disabling this
+ // setting.
+ unset($settings['config']['system.advisories']);
+ parent::writeSettings($settings);
+ }
+
+ /**
+ * Tests that a security advisory is displayed.
+ */
+ public function testPsa(): void {
+ $assert = $this->assertSession();
+ // Setup test PSA endpoint.
+ AdvisoriesTestHttpClient::setTestEndpoint($this->workingEndpointMixed);
+ $mixed_advisory_links = [
+ 'Critical Release - SA-2019-02-19',
+ 'Critical Release - PSA-Really Old',
+ // The info for the test modules 'generic_module1_test' and
+ // 'generic_module2_test' are altered for this test so match the items in
+ // the test json feeds.
+ // @see advisory_feed_test_system_info_alter()
+ 'Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
+ 'Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
+ ];
+ // Confirm that links are not displayed if they are enabled.
+ $this->config('system.advisories')->set('enabled', FALSE)->save();
+ $this->assertAdvisoriesNotDisplayed($mixed_advisory_links);
+ $this->config('system.advisories')->set('enabled', TRUE)->save();
+
+ // A new request for the JSON feed will not be made on admin pages besides
+ // the status report.
+ $this->assertAdvisoriesNotDisplayed($mixed_advisory_links, ['system.admin']);
+
+ // If both PSA and non-PSA advisories are displayed they should be displayed
+ // as errors.
+ $this->assertStatusReportLinks($mixed_advisory_links, REQUIREMENT_ERROR);
+ // The advisories will be displayed on admin pages if the response was
+ // stored from the status report request.
+ $this->assertAdminPageLinks($mixed_advisory_links, REQUIREMENT_ERROR);
+
+ // Confirm that a user without the correct permission will not see the
+ // advisories on admin pages.
+ $this->drupalLogin($this->drupalCreateUser([
+ 'access administration pages',
+ ]));
+ $this->assertAdvisoriesNotDisplayed($mixed_advisory_links, ['system.admin']);
+
+ // Log back in with user with permission to see the advisories.
+ $this->drupalLogin($this->user);
+ // Test cache.
+ AdvisoriesTestHttpClient::setTestEndpoint($this->nonWorkingEndpoint);
+ $this->assertAdminPageLinks($mixed_advisory_links, REQUIREMENT_ERROR);
+ $this->assertStatusReportLinks($mixed_advisory_links, REQUIREMENT_ERROR);
+
+ // Tests transmit errors with a JSON endpoint.
+ $this->tempStore->delete('advisories_response');
+ $this->assertAdvisoriesNotDisplayed($mixed_advisory_links);
+
+ // Test that the site status report displays an error.
+ $this->drupalGet(Url::fromRoute('system.status'));
+ $assert->pageTextContains('Failed to fetch security advisory data:');
+
+ // Test a PSA endpoint that returns invalid JSON.
+ AdvisoriesTestHttpClient::setTestEndpoint($this->invalidJsonEndpoint, TRUE);
+ // Assert that are no logged error messages before attempting to fetch the
+ // invalid endpoint.
+ $this->assertServiceAdvisoryLoggedErrors([]);
+ // On admin pages no message should be displayed if the feed is malformed.
+ $this->assertAdvisoriesNotDisplayed($mixed_advisory_links);
+ // Assert that there was an error logged for the invalid endpoint.
+ $this->assertServiceAdvisoryLoggedErrors(['The security advisory JSON feed from Drupal.org could not be decoded.']);
+ // On the status report there should be no announcements section.
+ $this->drupalGet(Url::fromRoute('system.status'));
+ $assert->pageTextNotContains('Failed to fetch security advisory data:');
+ // Assert the error was logged again.
+ $this->assertServiceAdvisoryLoggedErrors(['The security advisory JSON feed from Drupal.org could not be decoded.']);
+
+ AdvisoriesTestHttpClient::setTestEndpoint($this->workingEndpointPsaOnly, TRUE);
+ $psa_advisory_links = [
+ 'Critical Release - PSA-Really Old',
+ 'Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
+ ];
+ // Admin page will not display the new links because a new feed request is
+ // not attempted.
+ $this->assertAdvisoriesNotDisplayed($psa_advisory_links, ['system.admin']);
+ // If only PSA advisories are displayed they should be displayed as
+ // warnings.
+ $this->assertStatusReportLinks($psa_advisory_links, REQUIREMENT_WARNING);
+ $this->assertAdminPageLinks($psa_advisory_links, REQUIREMENT_WARNING);
+
+ AdvisoriesTestHttpClient::setTestEndpoint($this->workingEndpointNonPsaOnly, TRUE);
+ $non_psa_advisory_links = [
+ 'Critical Release - SA-2019-02-19',
+ 'Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
+ ];
+ // If only non-PSA advisories are displayed they should be displayed as
+ // errors.
+ $this->assertStatusReportLinks($non_psa_advisory_links, REQUIREMENT_ERROR);
+ $this->assertAdminPageLinks($non_psa_advisory_links, REQUIREMENT_ERROR);
+
+ // Confirm that advisory fetching can be disabled after enabled.
+ $this->config('system.advisories')->set('enabled', FALSE)->save();
+ $this->assertAdvisoriesNotDisplayed($non_psa_advisory_links);
+ // Assert no other errors were logged.
+ $this->assertServiceAdvisoryLoggedErrors([]);
+ }
+
+ /**
+ * Asserts the correct links appear on an admin page.
+ *
+ * @param string[] $expected_link_texts
+ * The expected links' text.
+ * @param int $error_or_warning
+ * Whether the links are a warning or an error. Should be one of the REQUIREMENT_* constants.
+ */
+ private function assertAdminPageLinks(array $expected_link_texts, int $error_or_warning): void {
+ $assert = $this->assertSession();
+ $this->drupalGet(Url::fromRoute('system.admin'));
+ if ($error_or_warning === REQUIREMENT_ERROR) {
+ $assert->pageTextContainsOnce('Error message');
+ $assert->pageTextNotContains('Warning message');
+ }
+ else {
+ $assert->pageTextNotContains('Error message');
+ $assert->pageTextContainsOnce('Warning message');
+ }
+ foreach ($expected_link_texts as $expected_link_text) {
+ $assert->linkExists($expected_link_text);
+ }
+ }
+
+ /**
+ * Asserts the correct links appear on the status report page.
+ *
+ * @param string[] $expected_link_texts
+ * The expected links' text.
+ * @param int $error_or_warning
+ * Whether the links are a warning or an error. Should be one of the REQUIREMENT_* constants.
+ */
+ private function assertStatusReportLinks(array $expected_link_texts, int $error_or_warning): void {
+ $this->drupalGet(Url::fromRoute('system.status'));
+ $assert = $this->assertSession();
+ $selector = 'h3#' . ($error_or_warning === REQUIREMENT_ERROR ? 'error' : 'warning')
+ . ' ~ details.system-status-report__entry:contains("Critical security announcements")';
+ $assert->elementExists('css', $selector);
+ foreach ($expected_link_texts as $expected_link_text) {
+ $assert->linkExists($expected_link_text);
+ }
+ }
+
+ /**
+ * Asserts that security advisory links are not shown on admin pages.
+ *
+ * @param array $links
+ * The advisory links.
+ * @param array $routes
+ * The routes to test.
+ */
+ private function assertAdvisoriesNotDisplayed(array $links, array $routes = ['system.status', 'system.admin']): void {
+ foreach ($routes as $route) {
+ $this->drupalGet(Url::fromRoute($route));
+ $this->assertSession()->statusCodeEquals(200);
+ foreach ($links as $link) {
+ $this->assertSession()->linkNotExists($link, "'$link' not displayed on route '$route'.");
+ }
+ }
+ }
+
+ /**
+ * Asserts the expected error messages were logged on the system logger.
+ *
+ * The test module 'advisory_feed_test' must be installed to use this method.
+ * The stored error messages are cleared during this method.
+ *
+ * @param string[] $expected_messages
+ * The expected error messages.
+ *
+ * @see \Drupal\advisory_feed_test\TestSystemLoggerChannel::log()
+ */
+ protected function assertServiceAdvisoryLoggedErrors(array $expected_messages): void {
+ $state = $this->container->get('state');
+ $messages = $state->get('advisory_feed_test.error_messages', []);
+ $this->assertSame($expected_messages, $messages);
+ $state->set('advisory_feed_test.error_messages', []);
+ }
+
+}
diff --git a/core/modules/system/tests/src/Kernel/SecurityAdvisories/SecurityAdvisoriesFetcherTest.php b/core/modules/system/tests/src/Kernel/SecurityAdvisories/SecurityAdvisoriesFetcherTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..294b90dbb2810c1f8b0c74c00fd08f43c9da067b
--- /dev/null
+++ b/core/modules/system/tests/src/Kernel/SecurityAdvisories/SecurityAdvisoriesFetcherTest.php
@@ -0,0 +1,751 @@
+<?php
+
+namespace Drupal\Tests\system\Kernel\SecurityAdvisories;
+
+use Drupal\Core\Extension\Extension;
+use Drupal\Core\Extension\ModuleExtensionList;
+use Drupal\Core\Logger\RfcLoggerTrait;
+use Drupal\Core\Logger\RfcLogLevel;
+use Drupal\KernelTests\KernelTestBase;
+use GuzzleHttp\Client;
+use GuzzleHttp\Exception\TransferException;
+use GuzzleHttp\Handler\MockHandler;
+use GuzzleHttp\HandlerStack;
+use GuzzleHttp\Middleware;
+use GuzzleHttp\Psr7\Response;
+use Psr\Log\LoggerInterface;
+
+/**
+ * @coversDefaultClass \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
+ *
+ * @group system
+ */
+class SecurityAdvisoriesFetcherTest extends KernelTestBase implements LoggerInterface {
+
+ use RfcLoggerTrait;
+
+ /**
+ * The log messages from watchdog_exception.
+ *
+ * @var string[]
+ */
+ protected $watchdogExceptionMessages = [];
+
+ /**
+ * The log error log messages.
+ *
+ * @var string[]
+ */
+ protected $logErrorMessages = [];
+
+ /**
+ * {@inheritdoc}
+ */
+ protected static $modules = [
+ 'system',
+ 'advisory_feed_test',
+ ];
+
+ /**
+ * History of requests/responses.
+ *
+ * @var array
+ */
+ protected $history = [];
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void {
+ parent::setUp();
+ $this->installConfig('system');
+ $this->container->get('logger.factory')->addLogger($this);
+ }
+
+ /**
+ * Tests contrib advisories that should be displayed.
+ *
+ * @param mixed[] $feed_item
+ * The feed item to test. 'title' and 'link' are omitted from this array
+ * because they do not need to vary between test cases.
+ * @param string|null $existing_version
+ * The existing version of the module.
+ *
+ * @dataProvider providerShowAdvisories
+ */
+ public function testShowAdvisories(array $feed_item, string $existing_version = NULL): void {
+ $this->setFeedItems([$feed_item]);
+ if ($existing_version !== NULL) {
+ $this->setExistingProjectVersion($existing_version);
+ }
+ $links = $this->getAdvisories();
+ $this->assertCount(1, $links);
+ $this->assertSame('http://example.com', $links[0]->getUrl());
+ $this->assertSame('SA title', $links[0]->getTitle());
+ $this->assertCount(1, $this->history);
+ }
+
+ /**
+ * Data provider for testShowAdvisories().
+ */
+ public function providerShowAdvisories(): array {
+ return [
+ 'contrib:exact:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.0.0'],
+ ],
+ 'existing_version' => '1.0.0',
+ ],
+ 'contrib:exact:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:not-exact:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '1.0',
+
+ ],
+ 'contrib:non-matching:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-2.0',
+ ],
+ 'contrib:no-insecure:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => [],
+ ],
+ 'existing_version' => '8.x-2.0',
+ ],
+ 'contrib:no-existing-version:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-2.0'],
+ ],
+ 'existing_version' => '',
+ ],
+ 'contrib:dev:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => [],
+ ],
+ 'existing_version' => '8.x-2.x-dev',
+ ],
+ 'contrib:existing-dev-match-minor:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-1.x-dev',
+ ],
+ 'contrib:existing-dev-match-major-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.1.1'],
+ ],
+ 'existing_version' => '8.x-dev',
+ ],
+ 'contrib:existing-dev-match-minor-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.2.1'],
+ ],
+ 'existing_version' => '8.2.x-dev',
+ ],
+ 'core:exact:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => [\Drupal::VERSION],
+ ],
+ ],
+ 'core:exact:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => [\Drupal::VERSION],
+ ],
+ ],
+ 'core:not-exact:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => ['9.1'],
+ ],
+ ],
+ 'core:non-matching:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => ['9.0.0'],
+ ],
+ ],
+ 'core:no-insecure:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => [],
+ ],
+ ],
+ ];
+ }
+
+ /**
+ * Tests advisories that should be ignored.
+ *
+ * @param mixed[] $feed_item
+ * The feed item to test. 'title' and 'link' are omitted from this array
+ * because they do not need to vary between test cases.
+ * @param string|null $existing_version
+ * The existing version of the module.
+ *
+ * @dataProvider providerIgnoreAdvisories
+ */
+ public function testIgnoreAdvisories(array $feed_item, string $existing_version = NULL): void {
+ $this->setFeedItems([$feed_item]);
+ if ($existing_version !== NULL) {
+ $this->setExistingProjectVersion($existing_version);
+ }
+ $this->assertCount(0, $this->getAdvisories());
+ $this->assertCount(1, $this->history);
+ }
+
+ /**
+ * Data provider for testIgnoreAdvisories().
+ */
+ public function providerIgnoreAdvisories(): array {
+ return [
+ 'contrib:not-exact:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.0'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:non-matching:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.1'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:not-exact:non-psa-reversed' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '1.0',
+ ],
+ 'contrib:semver-non-exact:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.0'],
+ ],
+ 'existing_version' => '1.0.0',
+ ],
+ 'contrib:semver-major-match-not-minor:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.1.0'],
+ ],
+ 'existing_version' => '1.0.0',
+ ],
+ 'contrib:semver-major-minor-match-not-patch:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.1.1'],
+ ],
+ 'existing_version' => '1.1.0',
+ ],
+ 'contrib:non-matching-not-exact:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.1'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:both-extra:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0-extraStringNotSpecial'],
+ ],
+ 'existing_version' => '8.x-1.0-alsoNotSpecialNotMatching',
+ ],
+ 'contrib:semver-7major-match:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['7.x-1.0'],
+ ],
+ 'existing_version' => '1.0.0',
+ ],
+ 'contrib:different-majors:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['7.x-1.0'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:semver-different-majors:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.0.0'],
+ ],
+ 'existing_version' => '2.0.0',
+ ],
+ 'contrib:no-version:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.1'],
+ ],
+ 'existing_version' => '',
+ ],
+ 'contrib:insecure-extra:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0-extraStringNotSpecial'],
+ ],
+ 'existing_version' => '8.x-1.0',
+ ],
+ 'contrib:existing-dev-different-minor:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-2.x-dev',
+ ],
+ 'contrib:existing-dev-different-major:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['7.x-1.0'],
+ ],
+ 'existing_version' => '8.x-1.x-dev',
+ ],
+ 'contrib:existing-dev-different-major-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.0.0'],
+ ],
+ 'existing_version' => '9.0.x-dev',
+ ],
+ 'contrib:existing-dev-different-major-no-minor-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.0.0'],
+ ],
+ 'existing_version' => '9.x-dev',
+ ],
+ 'contrib:existing-dev-different-minor-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.0.0'],
+ ],
+ 'existing_version' => '1.1.0-dev',
+ ],
+ 'contrib:existing-dev-different-minor-x-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['1.0.0'],
+ ],
+ 'existing_version' => '1.1.x-dev',
+ ],
+ 'contrib:existing-dev-different-8major-semver:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-dev',
+ ],
+ 'contrib:non-existing-project:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'non_existing_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ ],
+ 'contrib:non-existing-project:psa' => [
+ 'feed_item' => [
+ 'is_psa' => 1,
+ 'type' => 'module',
+ 'project' => 'non_existing_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ ],
+ 'core:non-matching:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => ['9.0.0'],
+ ],
+ ],
+ 'core:non-matching-not-exact:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => ['9.1'],
+ ],
+ ],
+ 'core:no-insecure:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => [],
+ ],
+ ],
+ 'contrib:existing-extra:non-psa' => [
+ 'feed_item' => [
+ 'is_psa' => 0,
+ 'type' => 'module',
+ 'project' => 'the_project',
+ 'insecure' => ['8.x-1.0'],
+ ],
+ 'existing_version' => '8.x-1.0-extraStringNotSpecial',
+
+ ],
+ ];
+ }
+
+ /**
+ * Sets the feed items to be returned for the test.
+ *
+ * @param mixed[][] $feed_items
+ * The feeds items to test. Every time the http_client makes a request the
+ * next item in this array will be returned. For each feed item 'title' and
+ * 'link' are omitted because they do not need to vary between test cases.
+ */
+ protected function setFeedItems(array $feed_items): void {
+ $responses = [];
+ foreach ($feed_items as $feed_item) {
+ $feed_item += [
+ 'title' => 'SA title',
+ 'link' => 'http://example.com',
+ ];
+ $responses[] = new Response('200', [], json_encode([$feed_item]));
+ }
+ $this->setTestFeedResponses($responses);
+ }
+
+ /**
+ * Sets the existing version of the project.
+ *
+ * @param string $existing_version
+ * The existing version of the project.
+ */
+ protected function setExistingProjectVersion(string $existing_version): void {
+ $module_list = $this->prophesize(ModuleExtensionList::class);
+ $extension = $this->prophesize(Extension::class)->reveal();
+ $extension->info = [
+ 'project' => 'the_project',
+ ];
+ if (!empty($existing_version)) {
+ $extension->info['version'] = $existing_version;
+ }
+ $module_list->getList()->willReturn([$extension]);
+ $this->container->set('extension.list.module', $module_list->reveal());
+ }
+
+ /**
+ * Tests that the stored advisories response is deleted on interval decrease.
+ */
+ public function testIntervalConfigUpdate(): void {
+ $feed_item_1 = [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'title' => 'Oh no🙀! Advisory 1',
+ 'project' => 'drupal',
+ 'insecure' => [\Drupal::VERSION],
+ ];
+ $feed_item_2 = [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'title' => 'Oh no😱! Advisory 2',
+ 'project' => 'drupal',
+ 'insecure' => [\Drupal::VERSION],
+ ];
+ $this->setFeedItems([$feed_item_1, $feed_item_2]);
+ $advisories = $this->getAdvisories();
+ $this->assertCount(1, $advisories);
+ $this->assertSame($feed_item_1['title'], $advisories[0]->getTitle());
+ $this->assertCount(1, $this->history);
+
+ // Ensure that new feed item is not retrieved because the stored response
+ // has not expired.
+ $advisories = $this->getAdvisories();
+ $this->assertCount(1, $this->history);
+ $this->assertCount(1, $advisories);
+ $this->assertSame($feed_item_1['title'], $advisories[0]->getTitle());
+
+ /** @var \Drupal\Core\Config\Config $config */
+ $config = $this->container->get('config.factory')->getEditable('system.advisories');
+ $interval = $config->get('interval_hours');
+ $config->set('interval_hours', $interval + 1)->save();
+
+ // Ensure that new feed item is not retrieved when the interval is
+ // increased.
+ $advisories = $this->getAdvisories();
+ $this->assertCount(1, $this->history);
+ $this->assertCount(1, $advisories);
+ $this->assertSame($feed_item_1['title'], $advisories[0]->getTitle());
+
+ // Ensure that new feed item is retrieved when the interval is decreased.
+ $config->set('interval_hours', $interval - 1)->save();
+ $advisories = $this->getAdvisories();
+ $this->assertCount(2, $this->history);
+ $this->assertCount(1, $advisories);
+ $this->assertSame($feed_item_2['title'], $advisories[0]->getTitle());
+ }
+
+ /**
+ * Tests that invalid JSON feed responses are not stored.
+ */
+ public function testInvalidJsonResponse(): void {
+ $non_json_response = new Response(200, [], '1');
+ $json_response = new Response(200, [], '[]');
+ // Set 2 non-JSON responses and 1 JSON response.
+ $this->setTestFeedResponses([
+ $non_json_response,
+ $non_json_response,
+ $json_response,
+ ]);
+ $this->assertNull($this->getAdvisories());
+ $this->assertCount(1, $this->history);
+ $this->assertServiceAdvisoryLoggedErrors(['The security advisory JSON feed from Drupal.org could not be decoded.']);
+
+ // Confirm that previous non-JSON response was not stored.
+ $this->assertNull($this->getAdvisories());
+ $this->assertCount(2, $this->history);
+ $this->assertServiceAdvisoryLoggedErrors(['The security advisory JSON feed from Drupal.org could not be decoded.']);
+
+ // Confirm that if $allow_http_request is set to FALSE a new request will
+ // not be attempted.
+ $this->assertNull($this->getAdvisories(FALSE));
+ $this->assertCount(2, $this->history);
+
+ // Make a 3rd request that will return a valid JSON response.
+ $this->assertCount(0, $this->getAdvisories());
+ $this->assertCount(3, $this->history);
+
+ // Confirm that getting the advisories after a valid JSON response will use
+ // the stored response and not make another 'http_client' request.
+ $this->assertCount(0, $this->getAdvisories());
+ $this->assertCount(3, $this->history);
+ $this->assertServiceAdvisoryLoggedErrors([]);
+ }
+
+ /**
+ * @covers ::doRequest
+ * @covers ::getSecurityAdvisories
+ */
+ public function testHttpFallback(): void {
+ $this->setSetting('update_fetch_with_http_fallback', TRUE);
+ $feed_item = [
+ 'is_psa' => 1,
+ 'type' => 'core',
+ 'project' => 'drupal',
+ 'insecure' => [\Drupal::VERSION],
+ 'title' => 'SA title',
+ 'link' => 'http://example.com',
+ ];
+ $this->setTestFeedResponses([
+ new Response('500', [], 'HTTPS failed'),
+ new Response('200', [], json_encode([$feed_item])),
+ ]);
+ $advisories = $this->getAdvisories();
+
+ // There should be two request / response pairs.
+ $this->assertCount(2, $this->history);
+
+ // The first request should have been HTTPS and should have failed.
+ $first_try = $this->history[0];
+ $this->assertNotEmpty($first_try);
+ $this->assertEquals('https', $first_try['request']->getUri()->getScheme());
+ $this->assertEquals(500, $first_try['response']->getStatusCode());
+
+ // The second request should have been the HTTP fallback and should have
+ // worked.
+ $second_try = $this->history[1];
+ $this->assertNotEmpty($second_try);
+ $this->assertEquals('http', $second_try['request']->getUri()->getScheme());
+ $this->assertEquals(200, $second_try['response']->getStatusCode());
+
+ $this->assertCount(1, $advisories);
+ $this->assertSame('http://example.com', $advisories[0]->getUrl());
+ $this->assertSame('SA title', $advisories[0]->getTitle());
+ $this->assertSame(["Server error: `GET https://updates.drupal.org/psa.json` resulted in a `500 Internal Server Error` response:\nHTTPS failed\n"], $this->watchdogExceptionMessages);
+ }
+
+ /**
+ * @covers ::doRequest
+ * @covers ::getSecurityAdvisories
+ */
+ public function testNoHttpFallback(): void {
+ $this->setTestFeedResponses([
+ new Response('500', [], 'HTTPS failed'),
+ ]);
+
+ $exception_thrown = FALSE;
+ try {
+ $this->getAdvisories();
+ }
+ catch (TransferException $exception) {
+ $this->assertSame("Server error: `GET https://updates.drupal.org/psa.json` resulted in a `500 Internal Server Error` response:\nHTTPS failed\n", $exception->getMessage());
+ $exception_thrown = TRUE;
+ }
+ $this->assertTrue($exception_thrown);
+ // There should only be one request / response pair.
+ $this->assertCount(1, $this->history);
+ $request = $this->history[0]['request'];
+ $this->assertNotEmpty($request);
+ // It should have only been an HTTPS request.
+ $this->assertEquals('https', $request->getUri()->getScheme());
+ // And it should have failed.
+ $response = $this->history[0]['response'];
+ $this->assertEquals(500, $response->getStatusCode());
+ }
+
+ /**
+ * Gets the advisories from the 'system.sa_fetcher' service.
+ *
+ * @param bool $allow_http_request
+ * Argument to pass on to
+ * SecurityAdvisoriesFetcher::getSecurityAdvisories().
+ *
+ * @return \Drupal\system\SecurityAdvisories\SecurityAdvisory[]|null
+ * The return value of SecurityAdvisoriesFetcher::getSecurityAdvisories().
+ */
+ protected function getAdvisories(bool $allow_http_request = TRUE): ?array {
+ $fetcher = $this->container->get('system.sa_fetcher');
+ return $fetcher->getSecurityAdvisories($allow_http_request);
+ }
+
+ /**
+ * Sets test feed responses.
+ *
+ * @param \GuzzleHttp\Psr7\Response[] $responses
+ * The responses for the http_client service to return.
+ */
+ protected function setTestFeedResponses(array $responses): void {
+ // Create a mock and queue responses.
+ $mock = new MockHandler($responses);
+ $handler_stack = HandlerStack::create($mock);
+ $history = Middleware::history($this->history);
+ $handler_stack->push($history);
+ // Rebuild the container because the 'system.sa_fetcher' service and other
+ // services may already have an instantiated instance of the 'http_client'
+ // service without these changes.
+ $this->container->get('kernel')->rebuildContainer();
+ $this->container = $this->container->get('kernel')->getContainer();
+ $this->container->get('logger.factory')->addLogger($this);
+ $this->container->set('http_client', new Client(['handler' => $handler_stack]));
+ }
+
+ /**
+ * Asserts the expected error messages were logged.
+ *
+ * @param string[] $expected_messages
+ * The expected error messages.
+ */
+ protected function assertServiceAdvisoryLoggedErrors(array $expected_messages): void {
+ $this->assertSame($expected_messages, $this->logErrorMessages);
+ $this->logErrorMessages = [];
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function log($level, $message, array $context = []): void {
+ if (isset($context['@message'])) {
+ $this->watchdogExceptionMessages[] = $context['@message'];
+ }
+ if ($level === RfcLogLevel::ERROR) {
+ $this->logErrorMessages[] = $message;
+ }
+ }
+
+}
diff --git a/core/modules/system/tests/src/Unit/SecurityAdvisories/SecurityAdvisoryTest.php b/core/modules/system/tests/src/Unit/SecurityAdvisories/SecurityAdvisoryTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..8a499fbc62bde1674b6756cec69a773b7546313e
--- /dev/null
+++ b/core/modules/system/tests/src/Unit/SecurityAdvisories/SecurityAdvisoryTest.php
@@ -0,0 +1,183 @@
+<?php
+
+namespace Drupal\Tests\system\Unit\SecurityAdvisories;
+
+use Drupal\Tests\UnitTestCase;
+use Drupal\system\SecurityAdvisories\SecurityAdvisory;
+
+/**
+ * @coversDefaultClass \Drupal\system\SecurityAdvisories\SecurityAdvisory
+ *
+ * @group system
+ */
+class SecurityAdvisoryTest extends UnitTestCase {
+
+ /**
+ * Tests creating with valid data.
+ *
+ * @param mixed[] $changes
+ * The changes to the valid data set to test.
+ * @param mixed[] $expected
+ * The expected changes for the object methods.
+ *
+ * @covers ::createFromArray
+ * @covers ::isCoreAdvisory
+ * @covers ::isPsa
+ *
+ * @dataProvider providerCreateFromArray
+ */
+ public function testCreateFromArray(array $changes, array $expected = []): void {
+ $data = $changes;
+ $data += $this->getValidData();
+ $expected += $data;
+
+ $sa = SecurityAdvisory::createFromArray($data);
+ $this->assertInstanceOf(SecurityAdvisory::class, $sa);
+ $this->assertSame($expected['title'], $sa->getTitle());
+ $this->assertSame($expected['project'], $sa->getProject());
+ $this->assertSame($expected['type'], $sa->getProjectType());
+ $this->assertSame($expected['link'], $sa->getUrl());
+ $this->assertSame($expected['insecure'], $sa->getInsecureVersions());
+ $this->assertSame($expected['is_psa'], $sa->isPsa());
+ $this->assertSame($expected['type'] === 'core', $sa->isCoreAdvisory());
+ }
+
+ /**
+ * Data provider for testCreateFromArray().
+ */
+ public function providerCreateFromArray(): array {
+ return [
+ // For 'is_psa' the return value should converted to any array.
+ [
+ ['is_psa' => 1],
+ ['is_psa' => TRUE],
+ ],
+ [
+ ['is_psa' => '1'],
+ ['is_psa' => TRUE],
+ ],
+ [
+ ['is_psa' => TRUE],
+ ['is_psa' => TRUE],
+ ],
+ [
+ ['is_psa' => 0],
+ ['is_psa' => FALSE],
+ ],
+ [
+ ['is_psa' => '0'],
+ ['is_psa' => FALSE],
+ ],
+ [
+ ['is_psa' => FALSE],
+ ['is_psa' => FALSE],
+ ],
+ // Test cases that ensure ::isCoreAdvisory only returns TRUE for core.
+ [
+ ['type' => 'module'],
+ ],
+ [
+ ['type' => 'theme'],
+ ],
+ [
+ ['type' => 'core'],
+ ],
+ ];
+ }
+
+ /**
+ * Tests exceptions with missing fields.
+ *
+ * @param string $missing_field
+ * The field to test.
+ *
+ * @covers ::createFromArray
+ *
+ * @dataProvider providerCreateFromArrayMissingField
+ */
+ public function testCreateFromArrayMissingField(string $missing_field): void {
+ $data = $this->getValidData();
+ unset($data[$missing_field]);
+ $this->expectException(\UnexpectedValueException::class);
+ $expected_message = 'Malformed security advisory:.*' . preg_quote("[$missing_field]:", '/');
+ $expected_message .= '.*This field is missing';
+ $this->expectExceptionMessageMatches("/$expected_message/s");
+ SecurityAdvisory::createFromArray($data);
+ }
+
+ /**
+ * Data provider for testCreateFromArrayMissingField().
+ */
+ public function providerCreateFromArrayMissingField(): array {
+ return [
+ 'title' => ['title'],
+ 'link' => ['link'],
+ 'project' => ['project'],
+ 'type' => ['type'],
+ 'is_psa' => ['is_psa'],
+ 'insecure' => ['insecure'],
+ ];
+ }
+
+ /**
+ * Tests exceptions for invalid field types.
+ *
+ * @param string $invalid_field
+ * The field to test for an invalid value.
+ * @param string $expected_type_message
+ * The expected message for the field.
+ *
+ * @covers ::createFromArray
+ *
+ * @dataProvider providerCreateFromArrayInvalidField
+ */
+ public function testCreateFromArrayInvalidField(string $invalid_field, string $expected_type_message): void {
+ $data = $this->getValidData();
+ // Set the field a value that is not valid for any of the fields in the
+ // feed.
+ $data[$invalid_field] = new \stdClass();
+ $this->expectException(\UnexpectedValueException::class);
+ $expected_message = 'Malformed security advisory:.*' . preg_quote("[$invalid_field]:", '/');
+ $expected_message .= ".*$expected_type_message";
+ $this->expectExceptionMessageMatches("/$expected_message/s");
+ SecurityAdvisory::createFromArray($data);
+ }
+
+ /**
+ * Data provider for testCreateFromArrayInvalidField().
+ */
+ public function providerCreateFromArrayInvalidField(): array {
+ return [
+ 'title' => ['title', 'This value should be of type string.'],
+ 'link' => ['link', 'This value should be of type string.'],
+ 'project' => ['project', 'This value should be of type string.'],
+ 'type' => ['type', 'This value should be of type string.'],
+ 'is_psa' => ['is_psa', 'The value you selected is not a valid choice.'],
+ 'insecure' => ['insecure', 'This value should be of type array.'],
+ ];
+ }
+
+ /**
+ * Gets valid data for a security advisory.
+ *
+ * @return mixed[]
+ * The data for the security advisory.
+ */
+ protected function getValidData(): array {
+ return [
+ 'title' => 'Generic Module1 Test - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
+ 'link' => 'https://www.drupal.org/SA-CONTRIB-2019-02-02',
+ 'project' => 'generic_module1_test',
+ 'type' => 'module',
+ 'is_psa' => FALSE,
+ 'insecure' => [
+ '8.x-1.1',
+ ],
+ 'pubDate' => 'Tue, 19 Mar 2019 12 => 50 => 00 +0000',
+ // New fields added to the JSON feed should be ignored and not cause a
+ // validation error.
+ 'unknown_field' => 'ignored value',
+ ];
+ }
+
+}
diff --git a/core/modules/update/src/Form/UpdateManagerUpdate.php b/core/modules/update/src/Form/UpdateManagerUpdate.php
index aeabd99a8311c9b2d00d813edee46483f40b543d..df49813a1d7b70e1f060750246821f375ff52e47 100644
--- a/core/modules/update/src/Form/UpdateManagerUpdate.php
+++ b/core/modules/update/src/Form/UpdateManagerUpdate.php
@@ -8,9 +8,9 @@
use Drupal\Core\Link;
use Drupal\Core\State\StateInterface;
use Drupal\Core\Url;
+use Drupal\Core\Extension\ExtensionVersion;
use Drupal\update\UpdateFetcherInterface;
use Drupal\update\UpdateManagerInterface;
-use Drupal\update\ModuleVersion;
use Symfony\Component\DependencyInjection\ContainerInterface;
/**
@@ -142,7 +142,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
$recommended_release = $project['releases'][$project['recommended']];
$recommended_version = '{{ release_version }} (<a href="{{ release_link }}" title="{{ project_title }}">{{ release_notes }}</a>)';
- $recommended_version_parser = ModuleVersion::createFromVersionString($recommended_release['version']);
+ $recommended_version_parser = ExtensionVersion::createFromVersionString($recommended_release['version']);
if ($recommended_version_parser->getMajorVersion() != $project['existing_major']) {
$recommended_version .= '<div title="{{ major_update_warning_title }}" class="update-major-version-warning">{{ major_update_warning_text }}</div>';
}
diff --git a/core/modules/update/src/ModuleVersion.php b/core/modules/update/src/ModuleVersion.php
index 987674107f549f7c5cf33078ee8bc9ea62fe5314..43da4039cc0cc5fae36f535d6a51939b27f51963 100644
--- a/core/modules/update/src/ModuleVersion.php
+++ b/core/modules/update/src/ModuleVersion.php
@@ -5,9 +5,13 @@
/**
* Provides a module version value object.
*
+ * @deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Use
+ * \Drupal\Core\Extension\ExtensionVersion instead. As an internal class
+ * ExtensionVersion may also be removed in a minor release.
+ *
* @internal
*
- * @see https://www.drupal.org/drupalorg/docs/apis/update-status-xml.
+ * @see https://www.drupal.org/node/3095201
*/
final class ModuleVersion {
@@ -85,6 +89,7 @@ public static function createFromVersionString($version_string) {
* The extra version string.
*/
private function __construct($major_version, $version_extra) {
+ @trigger_error(__CLASS__ . ' is deprecated in drupal:9.2.0 and will be removed before drupal:10.0.0. Use The \Drupal\Core\Extension\ExtensionVersion instead. As an internal class, ExtensionVersion may also be removed in a minor release.', E_USER_DEPRECATED);
$this->majorVersion = $major_version;
$this->versionExtra = $version_extra;
}
diff --git a/core/modules/update/src/ProjectSecurityData.php b/core/modules/update/src/ProjectSecurityData.php
index 3d6630fc4bd1fea249274ba6c063bb2f045d0cfc..5ca63c49aab892d42de5b48fa53b40a58848eb21 100644
--- a/core/modules/update/src/ProjectSecurityData.php
+++ b/core/modules/update/src/ProjectSecurityData.php
@@ -2,6 +2,8 @@
namespace Drupal\update;
+use Drupal\Core\Extension\ExtensionVersion;
+
/**
* Calculates a project's security coverage information.
*
@@ -129,7 +131,7 @@ public function getCoverageInfo() {
return [];
}
$info = [];
- $existing_release_version = ModuleVersion::createFromVersionString($this->existingVersion);
+ $existing_release_version = ExtensionVersion::createFromVersionString($this->existingVersion);
// Check if the installed version has a specific end date defined.
$version_suffix = $existing_release_version->getMajorVersion() . '_' . $this->getSemanticMinorVersion($this->existingVersion);
@@ -165,7 +167,7 @@ public function getCoverageInfo() {
* NULL if this cannot be determined.
*/
private function getSecurityCoverageUntilVersion() {
- $existing_release_version = ModuleVersion::createFromVersionString($this->existingVersion);
+ $existing_release_version = ExtensionVersion::createFromVersionString($this->existingVersion);
if (!empty($existing_release_version->getVersionExtra())) {
// Only full releases receive security coverage.
return NULL;
@@ -215,10 +217,10 @@ private function getSecurityCoverageUntilVersion() {
* @see \Drupal\update\ProjectSecurityData\getSecurityCoverageUntilVersion()
*/
private function getAdditionalSecurityCoveredMinors($security_covered_version) {
- $security_covered_version_major = ModuleVersion::createFromVersionString($security_covered_version)->getMajorVersion();
+ $security_covered_version_major = ExtensionVersion::createFromVersionString($security_covered_version)->getMajorVersion();
$security_covered_version_minor = $this->getSemanticMinorVersion($security_covered_version);
foreach ($this->releases as $release) {
- $release_version = ModuleVersion::createFromVersionString($release['version']);
+ $release_version = ExtensionVersion::createFromVersionString($release['version']);
if ($release_version->getMajorVersion() === $security_covered_version_major && $release['status'] === 'published' && !$release_version->getVersionExtra()) {
// The releases are ordered with the most recent releases first.
// Therefore, if we have found a published, official release with the
diff --git a/core/modules/update/tests/src/Unit/ModuleVersionTest.php b/core/modules/update/tests/src/Unit/ModuleVersionTest.php
index 7eaabed00829eb5b6c6fe250f7823b7b1a9b9f85..75812ad5546e2047260e097c2edc5d0f3a218fbd 100644
--- a/core/modules/update/tests/src/Unit/ModuleVersionTest.php
+++ b/core/modules/update/tests/src/Unit/ModuleVersionTest.php
@@ -8,6 +8,7 @@
/**
* @coversDefaultClass \Drupal\update\ModuleVersion
*
+ * @group legacy
* @group update
*/
class ModuleVersionTest extends UnitTestCase {
diff --git a/core/modules/update/update.compare.inc b/core/modules/update/update.compare.inc
index 9dffec60a2a17a82a23bbb609050e29412291815..2a9f09942ecac6f6708c99f6d4855f1c69214c58 100644
--- a/core/modules/update/update.compare.inc
+++ b/core/modules/update/update.compare.inc
@@ -5,9 +5,9 @@
* Code required only when comparing available updates to existing data.
*/
+use Drupal\Core\Extension\ExtensionVersion;
use Drupal\update\UpdateFetcherInterface;
use Drupal\update\UpdateManagerInterface;
-use Drupal\update\ModuleVersion;
use Drupal\update\ProjectCoreCompatibility;
/**
@@ -275,7 +275,7 @@ function update_calculate_project_update_status(&$project_data, $available) {
return;
}
try {
- $existing_major = ModuleVersion::createFromVersionString($project_data['existing_version'])->getMajorVersion();
+ $existing_major = ExtensionVersion::createFromVersionString($project_data['existing_version'])->getMajorVersion();
}
catch (UnexpectedValueException $exception) {
// If the version has an unexpected value we can't determine updates.
@@ -307,7 +307,7 @@ function update_calculate_project_update_status(&$project_data, $available) {
$project_data['status'] = UpdateManagerInterface::NOT_SUPPORTED;
foreach ($supported_branches as $supported_branch) {
try {
- $target_major = ModuleVersion::createFromSupportBranch($supported_branch)->getMajorVersion();
+ $target_major = ExtensionVersion::createFromSupportBranch($supported_branch)->getMajorVersion();
}
catch (UnexpectedValueException $exception) {
@@ -357,7 +357,7 @@ function update_calculate_project_update_status(&$project_data, $available) {
foreach ($available['releases'] as $version => $release) {
try {
- $release_module_version = ModuleVersion::createFromVersionString($release['version']);
+ $release_module_version = ExtensionVersion::createFromVersionString($release['version']);
}
catch (UnexpectedValueException $exception) {
continue;
diff --git a/core/tests/Drupal/Tests/Core/Extension/ExtensionVersionTest.php b/core/tests/Drupal/Tests/Core/Extension/ExtensionVersionTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..3eb1b4b1c8b18b9118a630d8d7c245783c7d0611
--- /dev/null
+++ b/core/tests/Drupal/Tests/Core/Extension/ExtensionVersionTest.php
@@ -0,0 +1,451 @@
+<?php
+
+namespace Drupal\Tests\Core\Extension;
+
+use Drupal\Core\Extension\ExtensionVersion;
+use Drupal\Tests\UnitTestCase;
+
+/**
+ * @coversDefaultClass \Drupal\Core\Extension\ExtensionVersion
+ *
+ * @group Extension
+ */
+class ExtensionVersionTest extends UnitTestCase {
+
+ /**
+ * @covers ::getMajorVersion
+ *
+ * @dataProvider providerVersionInfos
+ *
+ * @param string $version
+ * The version string to test.
+ * @param array $expected_version_info
+ * The expected version information.
+ */
+ public function testGetMajorVersion(string $version, array $expected_version_info): void {
+ $version = ExtensionVersion::createFromVersionString($version);
+ $this->assertSame($expected_version_info['major'], $version->getMajorVersion());
+ }
+
+ /**
+ * @covers ::getMinorVersion
+ *
+ * @dataProvider providerVersionInfos
+ *
+ * @param string $version
+ * The version string to test.
+ * @param array $expected_version_info
+ * The expected version information.
+ */
+ public function testGetMinorVersion(string $version, array $expected_version_info): void {
+ $version = ExtensionVersion::createFromVersionString($version);
+ $this->assertSame($expected_version_info['minor'], $version->getMinorVersion());
+ }
+
+ /**
+ * @covers ::getVersionExtra
+ *
+ * @dataProvider providerVersionInfos
+ *
+ * @param string $version
+ * The version string to test.
+ * @param array $expected_version_info
+ * The expected version information.
+ */
+ public function testGetVersionExtra(string $version, array $expected_version_info): void {
+ $version = ExtensionVersion::createFromVersionString($version);
+ $this->assertSame($expected_version_info['extra'], $version->getVersionExtra());
+ }
+
+ /**
+ * Data provider for expected version information.
+ *
+ * @return mixed[][]
+ * Arrays of version information.
+ */
+ public function providerVersionInfos(): array {
+ // Data provider values are:
+ // - The version number to test.
+ // - Array of expected version information with the following keys:
+ // -'major': The expected result from ::getMajorVersion().
+ // -'extra': The expected result from ::getVersionExtra().
+ return [
+ '8.x-1.3' => [
+ '8.x-1.3',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => NULL,
+ ],
+ ],
+ '8.x-1.0' => [
+ '8.x-1.0',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => NULL,
+ ],
+ ],
+ '8.x-1.0-alpha1' => [
+ '8.x-1.0-alpha1',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => 'alpha1',
+ ],
+ ],
+ '8.x-1.3-alpha1' => [
+ '8.x-1.3-alpha1',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => 'alpha1',
+ ],
+ ],
+ '0.1' => [
+ '0.1',
+ [
+ 'major' => '0',
+ 'minor' => NULL,
+ 'extra' => NULL,
+ ],
+ ],
+ '1.0' => [
+ '1.0',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => NULL,
+ ],
+ ],
+ '1.3' => [
+ '1.3',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => NULL,
+ ],
+ ],
+ '1.0-alpha1' => [
+ '1.0-alpha1',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => 'alpha1',
+ ],
+ ],
+ '1.3-alpha1' => [
+ '1.3-alpha1',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => 'alpha1',
+ ],
+ ],
+ '0.2.0' => [
+ '0.2.0',
+ [
+ 'major' => '0',
+ 'minor' => '2',
+ 'extra' => NULL,
+ ],
+ ],
+ '1.2.0' => [
+ '1.2.0',
+ [
+ 'major' => '1',
+ 'minor' => '2',
+ 'extra' => NULL,
+ ],
+ ],
+ '1.0.3' => [
+ '1.0.3',
+ [
+ 'major' => '1',
+ 'minor' => '0',
+ 'extra' => NULL,
+ ],
+ ],
+ '1.2.3' => [
+ '1.2.3',
+ [
+ 'major' => '1',
+ 'minor' => '2',
+ 'extra' => NULL,
+ ],
+ ],
+ '1.2.0-alpha1' => [
+ '1.2.0-alpha1',
+ [
+ 'major' => '1',
+ 'minor' => '2',
+ 'extra' => 'alpha1',
+ ],
+ ],
+ '1.2.3-alpha1' => [
+ '1.2.3-alpha1',
+ [
+ 'major' => '1',
+ 'minor' => '2',
+ 'extra' => 'alpha1',
+ ],
+ ],
+ '8.x-1.x-dev' => [
+ '8.x-1.x-dev',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => 'dev',
+ ],
+ ],
+ '8.x-8.x-dev' => [
+ '8.x-8.x-dev',
+ [
+ 'major' => '8',
+ 'minor' => NULL,
+ 'extra' => 'dev',
+ ],
+ ],
+ '1.x-dev' => [
+ '1.x-dev',
+ [
+ 'major' => '1',
+ 'minor' => NULL,
+ 'extra' => 'dev',
+ ],
+ ],
+ '8.x-dev' => [
+ '8.x-dev',
+ [
+ 'major' => '8',
+ 'minor' => NULL,
+ 'extra' => 'dev',
+ ],
+ ],
+ '1.0.x-dev' => [
+ '1.0.x-dev',
+ [
+ 'major' => '1',
+ 'minor' => '0',
+ 'extra' => 'dev',
+ ],
+ ],
+ '1.2.x-dev' => [
+ '1.2.x-dev',
+ [
+ 'major' => '1',
+ 'minor' => '2',
+ 'extra' => 'dev',
+ ],
+ ],
+ ];
+ }
+
+ /**
+ * @covers ::createFromVersionString
+ *
+ * @dataProvider providerInvalidVersionNumber
+ *
+ * @param string $version
+ * The version string to test.
+ */
+ public function testInvalidVersionNumber(string $version): void {
+ $this->expectException(\UnexpectedValueException::class);
+ $this->expectExceptionMessage("Unexpected version number in: $version");
+ ExtensionVersion::createFromVersionString($version);
+ }
+
+ /**
+ * Data provider for testInvalidVersionNumber().
+ *
+ * @return string[]
+ * The test cases for testInvalidVersionNumber().
+ */
+ public function providerInvalidVersionNumber(): array {
+ return static::createKeyedTestCases([
+ '',
+ '8',
+ 'x',
+ 'xx',
+ '8.x-',
+ '8.x',
+ '.x',
+ '.0',
+ '.1',
+ '.1.0',
+ '1.0.',
+ 'x.1',
+ '1.x.0',
+ '1.1.x',
+ '1.1.x-extra',
+ 'x.1.1',
+ '1.1.1.1',
+ '1.1.1.0',
+ ]);
+ }
+
+ /**
+ * @covers ::createFromVersionString
+ *
+ * @dataProvider providerInvalidVersionCorePrefix
+ *
+ * @param string $version
+ * The version string to test.
+ */
+ public function testInvalidVersionCorePrefix(string $version): void {
+ $this->expectException(\UnexpectedValueException::class);
+ $this->expectExceptionMessage("Unexpected version core prefix in $version. The only core prefix expected in \Drupal\Core\Extension\ExtensionVersion is: 8.x-");
+ ExtensionVersion::createFromVersionString($version);
+ }
+
+ /**
+ * Data provider for testInvalidVersionCorePrefix().
+ *
+ * @return string[]
+ * The test cases for testInvalidVersionCorePrefix().
+ */
+ public function providerInvalidVersionCorePrefix(): array {
+ return static::createKeyedTestCases([
+ '6.x-1.0',
+ '7.x-1.x',
+ '9.x-1.x',
+ '10.x-1.x',
+ ]);
+ }
+
+ /**
+ * @covers ::createFromSupportBranch
+ *
+ * @dataProvider providerInvalidBranchCorePrefix
+ *
+ * @param string $branch
+ * The branch to test.
+ */
+ public function testInvalidBranchCorePrefix(string $branch): void {
+ $this->expectException(\UnexpectedValueException::class);
+ $this->expectExceptionMessage("Unexpected version core prefix in {$branch}0. The only core prefix expected in \Drupal\Core\Extension\ExtensionVersion is: 8.x-");
+ ExtensionVersion::createFromSupportBranch($branch);
+ }
+
+ /**
+ * Data provider for testInvalidBranchCorePrefix().
+ *
+ * @return string[]
+ * The test cases for testInvalidBranchCorePrefix().
+ */
+ public function providerInvalidBranchCorePrefix(): array {
+ return static::createKeyedTestCases([
+ '6.x-1.',
+ '7.x-1.',
+ '9.x-1.',
+ '10.x-1.',
+ ]);
+ }
+
+ /**
+ * @covers ::createFromSupportBranch
+ *
+ * @dataProvider providerCreateFromSupportBranch
+ *
+ * @param string $branch
+ * The branch to test.
+ * @param string $expected_major
+ * The expected major version.
+ */
+ public function testCreateFromSupportBranch(string $branch, string $expected_major): void {
+ $version = ExtensionVersion::createFromSupportBranch($branch);
+ $this->assertInstanceOf(ExtensionVersion::class, $version);
+ $this->assertSame($expected_major, $version->getMajorVersion());
+ // Version extra can't be determined from a branch.
+ $this->assertSame(NULL, $version->getVersionExtra());
+ }
+
+ /**
+ * Data provider for testCreateFromSupportBranch().
+ *
+ * @return string[][]
+ * The test cases for testCreateFromSupportBranch().
+ */
+ public function providerCreateFromSupportBranch(): array {
+ // Data provider values are:
+ // - The version number to test.
+ // - Array of expected version information with the following keys:
+ // -'major': The expected result from ::getMajorVersion().
+ // -'extra': The expected result from ::getVersionExtra().
+ return [
+ '0.' => [
+ '0.',
+ '0',
+ ],
+ '1.' => [
+ '1.',
+ '1',
+ ],
+ '0.1.' => [
+ '0.1.',
+ '0',
+ ],
+ '1.2.' => [
+ '1.2.',
+ '1',
+ ],
+ '8.x-1.' => [
+ '8.x-1.',
+ '1',
+ ],
+ ];
+ }
+
+ /**
+ * @covers ::createFromSupportBranch
+ *
+ * @dataProvider provideInvalidBranch
+ *
+ * @param string $branch
+ * The branch to test.
+ */
+ public function testInvalidBranch(string $branch): void {
+ $this->expectException(\UnexpectedValueException::class);
+ $this->expectExceptionMessage("Invalid support branch: $branch");
+ ExtensionVersion::createFromSupportBranch($branch);
+ }
+
+ /**
+ * Data provider for testInvalidBranch().
+ *
+ * @return string[]
+ * The test cases for testInvalidBranch().
+ */
+ public function provideInvalidBranch(): array {
+ return self::createKeyedTestCases([
+ '8.x-1.0',
+ '8.x-2.x',
+ '2.x-1.0',
+ '1.1',
+ '1.x',
+ '1.1.x',
+ '1.1.1',
+ '1.1.1.1',
+ ]);
+ }
+
+ /**
+ * Creates test case arrays for data provider methods.
+ *
+ * @param string[] $test_arguments
+ * The test arguments.
+ *
+ * @return mixed[]
+ * An array with $test_arguments as keys and each element of $test_arguments
+ * as a single item array
+ */
+ protected static function createKeyedTestCases(array $test_arguments): array {
+ return array_combine(
+ $test_arguments,
+ array_map(function ($test_argument) {
+ return [$test_argument];
+ }, $test_arguments)
+ );
+ }
+
+}
diff --git a/core/themes/stable/templates/admin/system-security-advisories-fetch-error-message.html.twig b/core/themes/stable/templates/admin/system-security-advisories-fetch-error-message.html.twig
new file mode 100644
index 0000000000000000000000000000000000000000..e86ba3b3b3c0f9bb41915e61518dc9681ea96ace
--- /dev/null
+++ b/core/themes/stable/templates/admin/system-security-advisories-fetch-error-message.html.twig
@@ -0,0 +1,16 @@
+{#
+/**
+ * @file
+ * Theme override for the message when fetching security advisories fails.
+ *
+ * This error message is displayed on the status report page.
+ *
+ * Available variables:
+ * - error_message: A render array containing the appropriate error message.
+ *
+ * @see template_preprocess_system_security_advisories_fetch_error_message()
+ *
+ * @ingroup themeable
+ */
+#}
+{{ error_message }}
diff --git a/core/themes/stable9/templates/admin/system-security-advisories-fetch-error-message.html.twig b/core/themes/stable9/templates/admin/system-security-advisories-fetch-error-message.html.twig
new file mode 100644
index 0000000000000000000000000000000000000000..e86ba3b3b3c0f9bb41915e61518dc9681ea96ace
--- /dev/null
+++ b/core/themes/stable9/templates/admin/system-security-advisories-fetch-error-message.html.twig
@@ -0,0 +1,16 @@
+{#
+/**
+ * @file
+ * Theme override for the message when fetching security advisories fails.
+ *
+ * This error message is displayed on the status report page.
+ *
+ * Available variables:
+ * - error_message: A render array containing the appropriate error message.
+ *
+ * @see template_preprocess_system_security_advisories_fetch_error_message()
+ *
+ * @ingroup themeable
+ */
+#}
+{{ error_message }}
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index d0fbcd3512fb1c21c637dc40ed782f60bfb91e1d..0165492a545e74127e36d644e0c341e5f9f827cf 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -308,16 +308,18 @@
$settings['update_free_access'] = FALSE;
/**
- * Fallback to HTTP for Update Manager.
- *
- * If your Drupal site fails to connect to updates.drupal.org using HTTPS to
- * fetch Drupal core, module and theme update status, you may uncomment this
- * setting and set it to TRUE to allow an insecure fallback to HTTP. Note that
- * doing so will open your site up to a potential man-in-the-middle attack. You
- * should instead attempt to resolve the issues before enabling this option.
+ * Fallback to HTTP for Update Manager and for fetching security advisories.
+ *
+ * If your site fails to connect to updates.drupal.org over HTTPS (either when
+ * fetching data on available updates, or when fetching the feed of critical
+ * security announcements), you may uncomment this setting and set it to TRUE to
+ * allow an insecure fallback to HTTP. Note that doing so will open your site up
+ * to a potential man-in-the-middle attack. You should instead attempt to
+ * resolve the issues before enabling this option.
* @see https://www.drupal.org/docs/system-requirements/php-requirements#openssl
* @see https://en.wikipedia.org/wiki/Man-in-the-middle_attack
* @see \Drupal\update\UpdateFetcher
+ * @see \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
*/
# $settings['update_fetch_with_http_fallback'] = TRUE;