+++ /dev/null
-<?php
-
-namespace Drupal\security_review;
-
-use Drupal\Core\Config\ConfigFactoryInterface;
-use Drupal\Core\DependencyInjection\DependencySerializationTrait;
-use Drupal\Core\Extension\ModuleHandlerInterface;
-use Drupal\Core\Logger\RfcLogLevel;
-use Drupal\Core\Session\AccountProxyInterface;
-use Drupal\Core\State\StateInterface;
-
-/**
- * A class containing static methods regarding the module's configuration.
- */
-class SecurityReview {
-
- use DependencySerializationTrait;
-
- /**
- * Temporary logging setting.
- *
- * @var null|bool
- */
- protected static $temporaryLogging = NULL;
-
- /**
- * The config factory.
- *
- * @var \Drupal\Core\Config\ConfigFactoryInterface
- */
- protected $configFactory;
-
- /**
- * The config storage.
- *
- * @var \Drupal\Core\Config\Config
- */
- protected $config;
-
- /**
- * The state storage.
- *
- * @var \Drupal\Core\State\StateInterface
- */
- protected $state;
-
- /**
- * The module handler.
- *
- * @var \Drupal\Core\Extension\ModuleHandlerInterface
- */
- protected $moduleHandler;
-
- /**
- * The current user.
- *
- * @var \Drupal\Core\Session\AccountProxyInterface
- */
- protected $currentUser;
-
- /**
- * Constructs a SecurityReview instance.
- *
- * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
- * The config factory.
- * @param \Drupal\Core\State\StateInterface $state
- * The state storage.
- * @param \Drupal\Core\Extension\ModuleHandlerInterface $module_handler
- * The module handler.
- * @param \Drupal\Core\Session\AccountProxyInterface $current_user
- * The current user.
- */
- public function __construct(ConfigFactoryInterface $config_factory, StateInterface $state, ModuleHandlerInterface $module_handler, AccountProxyInterface $current_user) {
- // Store the dependencies.
- $this->configFactory = $config_factory;
- $this->config = $config_factory->getEditable('security_review.settings');
- $this->state = $state;
- $this->moduleHandler = $module_handler;
- $this->currentUser = $current_user;
- }
-
- /**
- * Returns whether the module has been configured.
- *
- * If the module has been configured on the settings page this function
- * returns true. Otherwise it returns false.
- *
- * @return bool
- * A boolean indicating whether the module has been configured.
- */
- public function isConfigured() {
- return $this->config->get('configured') === TRUE;
- }
-
- /**
- * Returns true if logging is enabled, otherwise returns false.
- *
- * @return bool
- * A boolean indicating whether logging is enabled.
- */
- public function isLogging() {
- // Check for temporary logging.
- if (static::$temporaryLogging !== NULL) {
- return static::$temporaryLogging;
- }
-
- return $this->config->get('log') === TRUE;
- }
-
- /**
- * Returns the last time Security Review has been run.
- *
- * @return int
- * The last time Security Review has been run.
- */
- public function getLastRun() {
- return $this->state->get('last_run', 0);
- }
-
- /**
- * Returns the IDs of the stored untrusted roles.
- *
- * @return string[]
- * Stored untrusted roles' IDs.
- */
- public function getUntrustedRoles() {
- return $this->config->get('untrusted_roles');
- }
-
- /**
- * Sets the 'configured' flag.
- *
- * @param bool $configured
- * The new value of the 'configured' setting.
- */
- public function setConfigured($configured) {
- $this->config->set('configured', $configured);
- $this->config->save();
- }
-
- /**
- * Sets the 'logging' flag.
- *
- * @param bool $logging
- * The new value of the 'logging' setting.
- * @param bool $temporary
- * Whether to set only temporarily.
- */
- public function setLogging($logging, $temporary = FALSE) {
- if (!$temporary) {
- $this->config->set('log', $logging);
- $this->config->save();
- }
- else {
- static::$temporaryLogging = ($logging == TRUE);
- }
- }
-
- /**
- * Sets the 'last_run' value.
- *
- * @param int $last_run
- * The new value for 'last_run'.
- */
- public function setLastRun($last_run) {
- $this->state->set('last_run', $last_run);
- }
-
- /**
- * Stores the given 'untrusted_roles' setting.
- *
- * @param string[] $untrusted_roles
- * The new untrusted roles' IDs.
- */
- public function setUntrustedRoles(array $untrusted_roles) {
- $this->config->set('untrusted_roles', $untrusted_roles);
- $this->config->save();
- }
-
- /**
- * Logs an event.
- *
- * @param \Drupal\security_review\Check $check
- * The Check the message is about.
- * @param string $message
- * The message.
- * @param array $context
- * The context of the message.
- * @param int $level
- * Severity (RfcLogLevel).
- */
- public function log(Check $check, $message, array $context, $level) {
- if (static::isLogging()) {
- $this->moduleHandler->invokeAll(
- 'security_review_log',
- [
- 'check' => $check,
- 'message' => $message,
- 'context' => $context,
- 'level' => $level,
- ]
- );
- }
- }
-
- /**
- * Logs a check result.
- *
- * @param \Drupal\security_review\CheckResult $result
- * The result to log.
- */
- public function logCheckResult(CheckResult $result = NULL) {
- if ($this->isLogging()) {
- if ($result == NULL) {
- $check = $result->check();
- $context = [
- '@check' => $check->getTitle(),
- '@namespace' => $check->getNamespace(),
- ];
- $this->log($check, '@check of @namespace produced a null result', $context, RfcLogLevel::CRITICAL);
- return;
- }
-
- $check = $result->check();
-
- // Fallback log message.
- $level = RfcLogLevel::NOTICE;
- $message = '@name check invalid result';
-
- // Set log message and level according to result.
- switch ($result->result()) {
- case CheckResult::SUCCESS:
- $level = RfcLogLevel::INFO;
- $message = '@name check succeeded';
- break;
-
- case CheckResult::FAIL:
- $level = RfcLogLevel::ERROR;
- $message = '@name check failed';
- break;
-
- case CheckResult::WARN:
- $level = RfcLogLevel::WARNING;
- $message = '@name check raised a warning';
- break;
-
- case CheckResult::INFO:
- $level = RfcLogLevel::INFO;
- $message = '@name check returned info';
- break;
- }
-
- $context = ['@name' => $check->getTitle()];
- $this->log($check, $message, $context, $level);
- }
- }
-
- /**
- * Deletes orphaned check data.
- */
- public function cleanStorage() {
- /** @var \Drupal\security_review\Checklist $checklist */
- $checklist = \Drupal::service('security_review.checklist');
-
- // Get list of check configuration names.
- $orphaned = $this->configFactory->listAll('security_review.check.');
-
- // Remove items that are used by the checks.
- foreach ($checklist->getChecks() as $check) {
- $key = array_search('security_review.check.' . $check->id(), $orphaned);
- if ($key !== FALSE) {
- unset($orphaned[$key]);
- }
- }
-
- // Delete orphaned configuration data.
- foreach ($orphaned as $config_name) {
- $config = $this->configFactory->getEditable($config_name);
- $config->delete();
- }
- }
-
- /**
- * Stores information about the server into the State system.
- */
- public function setServerData() {
- if (!static::isServerPosix() || PHP_SAPI === 'cli') {
- return;
- }
- // Determine web server's uid and groups.
- $uid = posix_getuid();
- $groups = posix_getgroups();
-
- // Store the data in the State system.
- $this->state->set('security_review.server.uid', $uid);
- $this->state->set('security_review.server.groups', $groups);
- }
-
- /**
- * Returns whether the server is POSIX.
- *
- * @return bool
- * Whether the web server is POSIX based.
- */
- public function isServerPosix() {
- return function_exists('posix_getuid');
- }
-
- /**
- * Returns the UID of the web server.
- *
- * @return int
- * UID of the web server's user.
- */
- public function getServerUid() {
- return $this->state->get('security_review.server.uid');
- }
-
- /**
- * Returns the GIDs of the web server.
- *
- * @return int[]
- * GIDs of the web server's user.
- */
- public function getServerGids() {
- return $this->state->get('security_review.server.groups');
- }
-
-}