[5.1] TUF-based core updates

[SniperSister]

Summary of Changes

This pull requests changes the way how Joomla retrieves update information for Joomla core.

So far, the information about available updates has been retrieved using an XML file hosted on the Joomla.org CDN. Whatever information was written in that XML file was trusted and there was no way for a Joomla installation of that update XML actually is a legit file distributed by the project.

This makes the project vulnerable to supply chain attacks, where an attacker, once he gains access to the update XML file, might be able to distribute malicious update packages. The already implemented security measure of package hashes is no proper mitigation for that scenario as the package URL und the package hashes are stored in the same XML.

In order to succesfully mitigate such attacks, we would like to use "The Update Framework" (short "TUF") to the Joomla core updater. We are not going to introduce the general concepts of TUF in this PR as it's very extensively documented at https://theupdateframework.io/

The main changes in this PR are:

• Inclusion of the PHP-TUF client
• Inclusion of new library classes to connect the TUF client with the CMS
• Addition of a new service provider for the HTTP Factory, which allows us to mock it as a dependency in our unit tests
• Various changes to the existing Update and Updater classes to add TUF repos as a potential update source next to the existing XML mechanism
• An additional check in com_joomlaupdate to verify that the package version that shall be installed is actually the package version that users confirmed to install - that fixes an existing bug, where the re-retrieval of update information before the package download might cause a different version to be installed than the version that user saw on the update information page

Testing Instructions

Preparation steps

• Apply the patch
• Update the composer dependencies with composer install
• Execute the DB changes by navigating to System > Maintenance > Database and hit "Update Structure"

Scenario 1: successful retrieval of a legit core update via TUF

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Expected Result: Fetching succeeds, Message "Checked for updates.", no update being offered

Scenario 2: blocked retrieval of a malicious core update via TUF

• Execute the preparation steps above if not done yet
• Execute the "invalid test metadata" query from the test queries section below using a DB client of your choice
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Expected Result: The message "Update not possible because the offered update does not have enough signatures" is shown.

Scenario 3: successful retrieval of a core update via a custom XML server

• Execute the preparation steps above if not done yet
• Navigate to System > Update > Joomla, hit "Options"
• Set the Update Channel to "Custom" and use https://update.joomla.org/core/sts/list_sts.xml as an update URL
• Hit save & close
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Expected Result: Fetching succeeds, Message "Checked for updates.", no update being offered
• Switch the Update Channel back to Default

Scenario 4: successful retrieval of an extension update via the existing XML mechanisms

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Install an outdated version of an extension of choice that supports the Joomla updater
• Fetch and install the extension update
• Expected result: Fetching succeeds, update can be installed

Scenario 5: reinstall feature is available

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Open the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php and change line 119 from $updateURL = 'https://update.joomla.org/cms/'; to $updateURL = 'https://update.joomla.org/alpha/';
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Fetching succeeds, update to 5.1.100 being offered
• Modify the stored core update in the #__updates table and change the version from 5.1.100 to 5.1.0-alpha4-dev (or whatever your local 5.1.x version is)
• Expected: A screen that allows to reinstall the core files is shown:

Scenario 6: Constraint information is availabel

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Open the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php and change line 119 from $updateURL = 'https://update.joomla.org/cms/'; to $updateURL = 'https://update.joomla.org/alpha/';
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Fetching succeeds, update to 5.1.100 being offered
• Modify the file libraries/src/Updater/ConstraintChecker.php, line 151, replace if (!$result) { with if (!$result || true) { to simulate a failed php constraint
• Expected: A screen with information about the failed constraint is shown

Scenario 7: successful installation of a core update

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Open the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php and change line 119 from $updateURL = 'https://update.joomla.org/cms/'; to $updateURL = 'https://update.joomla.org/alpha/';
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Fetching succeeds, update to 5.1.100 being offered
• Expected result: Update to 5.1.100 can be performed

Test Queries

Valid production metadata - MySQL and MariaDB

DELETE FROM `#__tuf_metadata`;

INSERT INTO `#__tuf_metadata` (`id`, `update_site_id`, `root`, `targets`, `snapshot`, `timestamp`, `mirrors`) VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":4,"expires":"2025-03-02T16:38:55Z","keys":{"07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9b2af2d9b9727227735253d795bd27ea8f0e294a5f3603e822dc5052b44802b9"}},"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"a18e5ebabc19d5d5984b601a292ece61ba3662ab2d071dc520da5bd4f8948799"}},"2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"cb0a7a131961a20edea051d6dc2b091fb650bd399bd8514adb67b3c60db9f8f9"}},"31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"589d029a68b470deff1ca16dbf3eea6b5b3fcba0ae7bb52c468abc7fb058b2a2"}},"9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"6043c8bacc76ac5c9750f45454dd865c6ca1fc57d69e14cc192cfd420f6a66a9"}},"e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"ad1950e117b29ebe7a38635a2e574123e07571e4f9a011783e053b5f15d2562a"}},"ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"5d451915bc2b93a0e4e4745bc6a8b292d58996d50e0fb66c78c7827152a65879"}}},"roles":{"root":{"keyids":["1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e"],"threshold":1},"snapshot":{"keyids":["07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"targets":{"keyids":["31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"timestamp":{"keyids":["9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","sig":"1c8060aab4c5290dc398199d8f124701bd3f7d3fb47d688e3e61d20eeb90d6e387556ce680ba8db9b99f15332df64da349a03344f50ab4f1fe491efdf88f170c"}]}', NULL, NULL, NULL, NULL);

Valid production metadata - PostgreSQL

DELETE FROM "#__tuf_metadata";

INSERT INTO "#__tuf_metadata" ("id", "update_site_id", "root", "targets", "snapshot", "timestamp", "mirrors") VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":4,"expires":"2025-03-02T16:38:55Z","keys":{"07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9b2af2d9b9727227735253d795bd27ea8f0e294a5f3603e822dc5052b44802b9"}},"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"a18e5ebabc19d5d5984b601a292ece61ba3662ab2d071dc520da5bd4f8948799"}},"2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"cb0a7a131961a20edea051d6dc2b091fb650bd399bd8514adb67b3c60db9f8f9"}},"31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"589d029a68b470deff1ca16dbf3eea6b5b3fcba0ae7bb52c468abc7fb058b2a2"}},"9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"6043c8bacc76ac5c9750f45454dd865c6ca1fc57d69e14cc192cfd420f6a66a9"}},"e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"ad1950e117b29ebe7a38635a2e574123e07571e4f9a011783e053b5f15d2562a"}},"ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"5d451915bc2b93a0e4e4745bc6a8b292d58996d50e0fb66c78c7827152a65879"}}},"roles":{"root":{"keyids":["1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e"],"threshold":1},"snapshot":{"keyids":["07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"targets":{"keyids":["31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"timestamp":{"keyids":["9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","sig":"1c8060aab4c5290dc398199d8f124701bd3f7d3fb47d688e3e61d20eeb90d6e387556ce680ba8db9b99f15332df64da349a03344f50ab4f1fe491efdf88f170c"}]}', NULL, NULL, NULL, NULL);

Invalid test metadata - MySQL and MariaDB

DELETE FROM `#__tuf_metadata`;

INSERT INTO `#__tuf_metadata` (`id`, `update_site_id`, `root`, `targets`, `snapshot`, `timestamp`, `mirrors`) VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2028-12-06T15:31:52Z","keys":{"1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"71c24873013b6f21aca791f45dcd9ddb5842a97bf72ac73c211742c2659a97ff"}},"696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9fac963aac4e14f948a7c2d6b3fa2232f6cb5a08bf6a8b6100bc6e68b0683c1c"}},"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"d08225342af7a8075bf210bd62154567140a8e14d824743e58b8e7e64ee8ad0b"}},"92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"8d70ac7574e64f209bff3d7c1d8b8ab6e34cf4419dd09f0d222354dceee986d7"}},"f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"b7a3d08989b5885d78e93425daacf3a71b0e190759e1a8633aa41bdb3ec3cd97"}}},"roles":{"root":{"keyids":["70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750"],"threshold":1},"snapshot":{"keyids":["f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9"],"threshold":1},"targets":{"keyids":["696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a"],"threshold":1},"timestamp":{"keyids":["1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0","92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750","sig":"52f8de5d8c0ac8c532a4e3c274b3e22cd2dca57a9f5d4094ccc1ded9966fb7064acc589ad564ba7ba04f7dfb42d8ccb803811b73551c60df4f9996c116967e00"}]}', NULL, NULL, NULL, NULL);

Invalid test metadata - PostgreSQL

DELETE FROM "#__tuf_metadata";

INSERT INTO "#__tuf_metadata" ("id", "update_site_id", "root", "targets", "snapshot", "timestamp", "mirrors") VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2028-12-06T15:31:52Z","keys":{"1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"71c24873013b6f21aca791f45dcd9ddb5842a97bf72ac73c211742c2659a97ff"}},"696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9fac963aac4e14f948a7c2d6b3fa2232f6cb5a08bf6a8b6100bc6e68b0683c1c"}},"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"d08225342af7a8075bf210bd62154567140a8e14d824743e58b8e7e64ee8ad0b"}},"92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"8d70ac7574e64f209bff3d7c1d8b8ab6e34cf4419dd09f0d222354dceee986d7"}},"f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"b7a3d08989b5885d78e93425daacf3a71b0e190759e1a8633aa41bdb3ec3cd97"}}},"roles":{"root":{"keyids":["70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750"],"threshold":1},"snapshot":{"keyids":["f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9"],"threshold":1},"targets":{"keyids":["696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a"],"threshold":1},"timestamp":{"keyids":["1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0","92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750","sig":"52f8de5d8c0ac8c532a4e3c274b3e22cd2dca57a9f5d4094ccc1ded9966fb7064acc589ad564ba7ba04f7dfb42d8ccb803811b73551c60df4f9996c116967e00"}]}', NULL, NULL, NULL, NULL);

Link to documentations

Please select:

• No documentation changes for docs.joomla.org needed
• No documentation changes for manual.joomla.org needed
• Link to internal documentation: https://internal.joomla.org/docs/production/update/infrastructure/expired-metadata

Kudos

This is not my personal work, a ton of people helped creating this feature and I would like to thank Harald, Benjamin, Niels, Martina, Hannes, Magnus, Tobias, Franciska, Timo, Stefan and Elias for their time and contributions!

[richard67]

I have tested this item ✅ successfully on 5585d32

I've tested scenario 6 again and can confirm that after the latest changes information on all failed constraints (DB and PHP versions) are shown.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42799.}

[alikon]

is the CLI installation TUF aware ?

[richard67]

is the CLI installation TUF aware ?

It should be as it uses the model. But as I just could see the CLI doesn't show any details of failed constraints in scenario 6. But that was also the case without TUF, I think.

richard@vmubu01:~/lamp/public_html/joomla-cms-5.1-dev$ cli/joomla.php core:update:check

Joomla! Update Status
=====================

You are on the default update channel.
Your current Joomla version is 5.1.0-beta1-dev.

 ! [NOTE] New Joomla Version 5.1.100 is available.                                                                      
                                                                                                                        
 [WARNING] We cannot find an update URL                                                                                 
                                                              
richard@vmubu01:~/lamp/public_html/joomla-cms-5.1-dev$

[richard67]

Hmm, it seems not to be ready for the CLI. Trying the update (scenario 7) with cli/joomla.php core:update fails:

richard@vmubu01:~/lamp/public_html/joomla-cms-5.1-dev$ cli/joomla.php core:update

Updating Joomla
===============

Starting up ...
Running checks ...
Check Database Table Structure...
 1/9 [===>------------------------]  11%
                                                                                                                        
 [INFO] 7 database changes were checked.                                                                                
                                                                                                                        

                                                                                                                        
 [INFO] 46 database changes did not alter table structure and were skipped.                                             
                                                                                                                        

Starting Joomla! update ...
Processing update package ...
Downloading update package ...
Extracting update package ...
Copying files ...
 6/9 [==================>---------]  66%
In Folder.php line 65:
                           
  Source folder not found  
                           

core:update [-h|--help] [-q|--quiet] [-v|vv|vvv|--verbose] [-V|--version] [--ansi] [--no-ansi] [-n|--no-interaction] [--live-site [LIVE-SITE]] [--] <command>

richard@vmubu01:~/lamp/public_html/joomla-cms-5.1-dev$

[richard67]

In the update log after CLI update attempt:

#Fields: datetime	priority clientip	category	message
2024-02-26T12:11:22+00:00	INFO -	update	Test logging
2024-02-26T12:11:22+00:00	INFO -	update	Update started by user CLI (0). Old version is 5.1.0-beta1-dev.
2024-02-26T12:11:23+00:00	WARNING -	jerror	Error connecting to the server: 404

[SniperSister]

That failure is not related to the actual TUF implementation but to the fact that the test release has invalid package URLs on 2 of 3 mirrors. The backend updater will fall back to the working one, the CLI updater fails on the first package. The information retrieval (that's the key part) works as expected.

[bembelimen]

Ready, Set, Go...

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42799.}

[LadySolveig]

Thanks to all involved in this great project! 🚀 💯 🚀

[alikon]

so it's a new feature and/or it is a release blocker ? does it work from cli ?
what i'm missing ?
ah ... it is merged