pantheon-security-update

#!/bin/bash
# pantheon-security-update
# Bash script to run security updates on a Pantheon site.

# Include all of the subscripts that we need.
DIR="${BASH_SOURCE%/*}"
if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
. "$DIR/functions/pantheon-script-colours"
. "$DIR/functions/pantheon-terminus-check"
. "$DIR/functions/pantheon-authenticate"
. "$DIR/functions/pantheon-choose-site"
. "$DIR/functions/pantheon-get-framework"
. "$DIR/functions/pantheon-multidev-create"
. "$DIR/functions/pantheon-cleanup-on-error"
. "$DIR/functions/pantheon-multidev-delete"
. "$DIR/functions/pantheon-multidev-merge"
. "$DIR/functions/pantheon-get-multidev-url"
. "$DIR/functions/pantheon-connection-mode"
. "$DIR/functions/drupal/drupal-get-drush-version"
. "$DIR/functions/drupal/drupal-check-features"
. "$DIR/functions/drupal/drupal-regenerate-features"
. "$DIR/functions/drupal/drupal-update"
. "$DIR/functions/drupal8/drupal8-check-config-management"
. "$DIR/functions/drupal8/drupal8-update"
. "$DIR/functions/wp/wp-update"

###
# Run security updates.
#
# @param string $SITENAME
#   The machine name of the site.
# @param string $FRAMEWORK
#   The framework of the site.
# @param string $MULTIDEV
#   The machine name of the multidev.
##
multidev_update() {
  local sitename=$1
  local framework=$2
  local multidev=$3
  local url=''
  get_multidev_url $sitename $multidev url

  case $framework in
    drupal)
      # We don't actually care what version of Drush is running, but this function
      # will bail if it's a totally incompatible version.
      local drushmajorversion=''
      local drushminorversion=''
      local drushpointversion=''
      drupal_get_drush_version "$sitename" $framework "$MULTIDEV" drushmajorversion drushminorversion drushpointversion

      drupal_check_features $sitename $multidev
      local hasfeatures=$?
      multidev_upstream_update $sitename $framework $multidev
      connection_mode "$SITENAME" "$MULTIDEV" 'sftp'
      drupal_update $sitename $multidev
      if [ "$hasfeatures" == 1 ]; then
        drupal_regenerate_features $sitename $multidev
      fi
      connection_mode "$SITENAME" "$MULTIDEV" 'git'
      ;;
    wordpress|wordpress_network)
      # @todo Check for WP-CFM (WP's version of config management), and check for overrides.
      multidev_upstream_update $sitename $framework $multidev
      connection_mode "$SITENAME" "$MULTIDEV" 'sftp'
      wp_update $sitename $multidev
      # @todo If WP-CFM, then update config.
      connection_mode "$SITENAME" "$MULTIDEV" 'git'
      ;;
    drupal8)
      echo -e "All Drupal 8/9 sites should now be updated with Composer only.  You may run the \`pantheon-multidev-merge\` script when you are ready to merge and deploy."
      echo -e "See https://docs.google.com/document/d/1JvoTX49mcQ2m8kQblQIMpJFP_Fw8eCE_3xQWe7zBLc4/edit#"
      echo -e "You may run the \`pantheon-multidev-merge\` script when you are ready to merge and deploy."
      exit 0
      ;;
    *)
      echo -e "$framework is not yet supported.  Do whatever it is that you do to run security updates on the multi-site, then continue."
      echo -e "  $url"
      read -p "${UNDERLINE}Continue [${BOLD}y${NOBOLD}/n]${NOUNDERLINE} " continue;
      case $continue in
        [Nn])
          echo -e "You may run the \`pantheon-multidev-merge\` script when you are ready to merge and deploy."
          exit 0
          ;;
        *) ;;
      esac
      ;;
  esac

  echo -e ""
  echo -e "  $url"
  echo -e "Please confirm that you can: "
  echo -e "* Log into the website"
  echo -e "* View the site status report"
  echo -e "* View the recent log entries"
  echo -e ""
  echo -e "${UNDERLINE}Do you wish to merge this multidev into the dev environment?${NOUNDERLINE}"
  echo -e "Some common cases where you shouldn't:"
  echo -e "* You're new to the team and would like a more experienced person to check first."
  echo -e "* If this was a wide-reaching change, and you are not familiar enough with the site to know if things are broken or not.  If so, then get the client to review."
  # @todo check for this.
  echo -e "* If there is undeployed code on the dev environment."
  echo -e "* If you first need to run visual regression tests."
  read -p "${UNDERLINE}Merge?  [${BOLD}y${NOBOLD}/n]${NOUNDERLINE} " continue;
  case $continue in
    [Nn])
      echo -e "You may run the \`pantheon-multidev-merge\` script when you are ready to merge and deploy."
      exit 0
      ;;
    *) ;;
  esac
}

###
# Check for upstream updates and run them if necessary.
#
# @param string $SITENAME
#   The machine name of the site.
# @param string $MULTIDEV
#   The machine name of the multidev.
##
function multidev_upstream_update() {
  local sitename=$1
  local framework=$2
  local multidev=$3

  echo -e "Checking for an update with $framework upstream."
  local status=`terminus upstream:updates:status ${sitename}.${multidev} 2>/dev/null`
  if [ "$status" == "outdated" ]; then
    echo -e "$framework upstream needs to be updated."
    terminus upstream:updates:list ${sitename}.${multidev} --fields=datetime,message,author
    read -p "${UNDERLINE}Apply the updates?  [${BOLD}y${NOBOLD}/n]${NOUNDERLINE} " continue;
    case $continue in
      [Nn]) return 0 ;;
      *) ;;
    esac
    # We will be in SFTP mode due to the features/config check that already ran.
    connection_mode "$sitename" "$multidev" 'git'
    echo -e "Updating."
    terminus upstream:updates:apply ${sitename}.${multidev}
    if [ $? != 0 ]; then
      echo -e "There was a problem applying the updates. Should we try to automatically resolve merge conflicts, or do you want to take care of this on your own? It should be safe if there are no core patches (check /sites/all/hacks/core, and /hacks/core and composer.json) "
      read -p "${UNDERLINE}Apply the updates and automatically resolve conflicts?  [${BOLD}y${NOBOLD}/n]${NOUNDERLINE} " continue;
      case $continue in
        [Nn])
          echo -e "You can re-run this script when you've resolved the problem and want to run updates for contrib modules."
          echo -e "Or you can run the \`pantheon-multidev-merge\` script if you just want to merge and deploy."
          exit 0
          ;;
        *) ;;
      esac
      terminus upstream:updates:apply ${sitename}.${multidev} --accept-upstream
      if [ $? != 0 ]; then
        cleanup_on_error $sitename $multidev "The upstream could not be updated automatically." 13
      fi
      echo -e "${UNDERLINE}You will likely need to re-apply any patches to core $framework.${NOUNDERLINE}"
    fi
    if [ $framework == 'drupal' ]  || [ $framework == 'drupal8' ]; then
      terminus drush ${sitename}.${multidev} -- updatedb -y 2>&1 | fgrep -v 'This environment is in read-only Git mode' | fgrep -v '[Exit: 0]'
      if [ $? != 0 ]; then
        cleanup_on_error $sitename $multidev "error updating the database." 10
      fi
    fi
  fi
}

#set -x
SUGGESTEDSITENAME=$1
if [ "$SUGGESTEDSITENAME" == "" ]; then
  terminus_check
  terminus_authenticate
fi
SITENAME=''
choose_site "$SUGGESTEDSITENAME" SITENAME
FRAMEWORK=''
get_framework "$SITENAME" FRAMEWORK

SUGGESTEDMULTIDEV='sec'`date "+%Y%m%d"`
#MULTIDEV='sec'`date "+%Y%m%d"`
MULTIDEV=''
multidev_create "$SITENAME" "$FRAMEWORK" "$SUGGESTEDMULTIDEV" MULTIDEV

URL=''
get_multidev_url "$SITENAME" "$MULTIDEV" URL

multidev_update "$SITENAME" "$FRAMEWORK" $MULTIDEV

multidev_merge "$SITENAME" "$FRAMEWORK" $MULTIDEV
multidev_delete "$SITENAME" "$MULTIDEV" 1

read -p "${UNDERLINE}Deploy to the test environment?  [${BOLD}y${NOBOLD}/n]${NOUNDERLINE} " continue;
case $continue in
  [Nn])
    echo -e "You can run the \`pantheon-deploy\` script when you're ready."
    exit 0
    ;;
  *) ;;
esac
${BASH_SOURCE%/*}/pantheon-deploy "$SITENAME" "test"

read -p "${UNDERLINE}Deploy to the live environment?  [${BOLD}y${NOBOLD}/n]${NOUNDERLINE} " continue;
case $continue in
  [Nn])
    echo -e "You can run the \`pantheon-deploy\` script when you're ready."
    exit 0
    ;;
  *) ;;
esac
${BASH_SOURCE%/*}/pantheon-deploy "$SITENAME" "live"

echo -e "Thanks.  All done."
# @todo Show `drush uli` links with all URLs.