[5.4] Automated Core Update Client

[SniperSister]

Summary of Changes

This PR implements automated core updates for Joomla. It's the "client" implementation, the server implementation can be found here: https://github.com/joomla-projects/Automated-Updates-Server

In general, the implemented concept utilizes existing logic and functionality ans has been built as a thin "remote control" layer around the current code:

• Update retrieval is handled by TUF, guaranteeing reliable, trustworthy update information. The information about a new version is therefore not "pushed" by the autoupdate server (causing potential loopholes if the server is compromised) but fetched by the site itself
• Update download and checksum handling is performed by the existing model, that com_joomlaupdate uses
• Update extraction is performed using the standalone extraction script of com_joomlaupdate - as this script normally resides in the administrator folder and that folder is often protected by additional measures (IP blocks, basic auth checks), a statement in the main index.php has been ended to require that script directly, allowing direct access
• Postinstall scripts are again performed by the existing com_joomlaupdate models

The communication between the update server (which handles periodic health checks and triggers the updates) and the site happens via a bunch of newly added webservice endpoints. For access control, an auth token, that is generated in the site and is sent to the server on registration, is used.

Besides these endpoints, the PR adds multiple "supporting" extensions and tweaks:

• a postinstall message, highlighting the new feature on existing installations, pushing site owners to enable it
• a guided tour, highlighting the new feature too
• a quick icon, displaying the current feature and connection status
• new mail templates to notify admins about successful or failed updates
• CLI commands to register and unregister a site in the autoupdate server.

This PR is joint effort together with @rdeutz @bembelimen @HLeithner - thank you guys! Thank you @brianteeman for the language support :) and thank you @richard67 for taking care of the adjustments to 5.4

Testing Instructions

The following instructions will cover a full autoupdate cycle. In order for the update to be performed, you have to install the site on a publicly accessible server. A local enviroment will not work.

1a. Install a new Joomla site using the package provided at Full Download
1b. Update a Joomla site using the package provided at Update Download
1c. Update without automated update, change in the database table #_update_sites the column location to https://update.joomla.org/alpha/, change in the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php in line 123 to $updateURL = 'https://update.joomla.org/alpha/';
4. Log into the administrator site and check that the guided tour for the new feature is shown; that login will also trigger the registration of your site in the update server
5. As a (faked) newer version is available, the update server will trigger an autoupdate of your newly installed site automatically. This process will take approx. 5-10 minutes.
6. When the update is completed (or failed) you'll receive an email to the address provided during the installation process
7. Verify the update result after the mail has been received
8. Manually disable autoupdates using the provided option in com_joomlaupdate; verify the registration state using the quickicon in the dashboard
9. Re-Enable autoupdates and verify the state again

Link to documentations

Please select:

• Documentation link for docs.joomla.org: Todo

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[MacJoom]

Partly successfully tested

• Updated an existing Website from 5.3.0 to 5.4.103
• Make sure you are on Update Channel default and Minimum Stability: Stable,
• Change in Joomla Update to Update Channel default and Minimum Stability Stable, enabled Autoupdate
• Upon Save & Close first time:
  
• Save & Close second time (no changes made), OK (Registered to automated update service.)
• Automated Update was done almost immedatly, Email Sent

[HLeithner]

• oomla Update to Update Channel default and Minimum Stability Stable, enabled Autoupdate

was caching activated for this site?

[MacJoom]

• oomla Update to Update Channel default and Minimum Stability Stable, enabled Autoupdate

was caching activated for this site?

Yes - without caching (conservative & progressive) Save & Close works every time.

[HLeithner]

• oomla Update to Update Channel default and Minimum Stability Stable, enabled Autoupdate

was caching activated for this site?

Yes - without caching (conservative & progressive) Save & Close works every time.

ok make sense because joomla caches the component options and we likely load it from the cache in the next second, we will see how we can solve this. Cache invalidation would be the best case but might be tricky. As alternative we could load the information directly...

[HLeithner]

I added the 2 known issues to the pr description and would like to postpone the fix for this to a follow up pr to get this merged into the alpha1 so it can be tested easier.

[MacJoom]

I have tested this item ✅ successfully on b25bba3

Works! From existing 5.3.0 to 5.4.103 and automatically to 5.4.104

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45143.}

[SniperSister]

I added the 2 known issues to the pr description and would like to postpone the fix for this to a follow up pr to get this merged into the alpha1 so it can be tested easier.

The known issues have been resolved

[richard67]

I have tested this item ✅ successfully on b25bba3

I've successfully tested that it works, also when the site is set to offline.

In addition, I've tested updating a 5.3 to the patched package of this PR with MySQL and PostgreSQL to see if the update SQL scripts are right.

Finally I've downloaded the 5.4.105 packages used for the test and have verified that they don't contain any unexpected differences to the patched packages for this PR, except of the wanted patch for the update site and the version and that it is behind the 5.4-dev branch with some changes, but that is not related to the functionality added by this PR.

What is not nice is that if you use the button in the Guided Tour for activating the auto updates, the settings show up for a short moment, but then you are back in the guided tours, and there is no visual indication if it has worked or not until you leave the guided tours and check the quick icon or the settings.

But I think this can be fixed with a follow up PR.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45143.}

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45143.}

[muhme]

A big thank you to all contributers and testers!

[richard67]

From me a big thank you, too.