capdrupal 3.0.3 → 3.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c0b198fb0b3a8dae0c743741c57a47722a29b2677096c290e2da2e381e6d6ed
-  data.tar.gz: 34da2b54176946f505b3e18426b110597b453db249fd57ee5b8725c7599b45ed
+  metadata.gz: 7266984d5cca0bd4f27392796b71cca44f6a5be8017743ec8075c030e87d3c99
+  data.tar.gz: 719349f1a190ef5aca2833f9e37a682d3a111d1ec6498c6bf8a4d0a9c945d7cc
 SHA512:
-  metadata.gz: 4f21885265080d37aa365fcead9db26d28692e533017fb01b12d480330908bc212de65b8a368beb82482676e2db342421e489b5201082103ecf17cd704527217
-  data.tar.gz: 3a54f1fea98a00427ecd8d51909d10d24abdd4d174de0370aeb66b80e6c1156b3afbc5574fec72c4cfe1968f6adce25b76e23c5f1dfa3f1547e1b02f6da515c9
+  metadata.gz: 2b75fbaa093cc8e3d858f652bba34604ff32534ff8a21e46614c89feae8a77d21115638164cf15a09a65154a87da653da932c623615a3ebec7a3397f168ada72
+  data.tar.gz: d4ef047b57d2f1385d50db3305ce5b990e6ef955e62e333ada3bd097a04cc23138a8434c05b5a62e4263072357ce9507aad16d69e4bb7a980bbc96ea6665c1bd

data/CHANGELOG.md

@@ -1,6 +1,10 @@
 # Capdrupal Changelog
 
-## NEXT RELEASE
+## NEXT RELEASE
+
+## 3.0.4 (2023-04-25)
+ - add command `drupal:security:obscurity:files` to obfuscate Drupal sensitive files by deletion
+ - add command `drupal:security:obscurity:htaccess` to obfuscate Drupal sensitive files by htaccess
 
 ## 3.0.3 (2023-03-14)
  - Only files directory must have permissions fixed to be writable, not all shared files.

data/README.md

@@ -153,6 +153,10 @@ namespace :deploy do
 
   # Clear your Drupal 8 cache.
   after :updated, "drupal:cache:clear"
+  
+  # Obfuscate Drupal sensitive files by removing or by denying access to them.
+  # after :updated, "drupal:security:obscurity:files"
+  # after :updated, "drupal:security:obscurity:htaccess"
 
   # Disable the maintence on the Drupal project.
   after :updated, "drupal:maintenance:off"

data/capdrupal.gemspec

@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = 'capdrupal'
-  spec.version       = '3.0.3'
+  spec.version       = '3.0.4'
   spec.authors       = ['Kevin Wenger', 'Yann Lugrin', 'Gilles Doge', 'Toni Fisler', 'Simon Perdrisat', 'Robert Wohleb', 'Kim Pepper']
   spec.email         = ['hello@antistatique.net']
 

data/lib/capdrupal.rb

@@ -7,6 +7,27 @@ namespace :load do
     set :keep_backups, 5
     set :enable_modules, []
     set :disable_modules, []
+    set :security, {
+      # Path of files to be removed from the release path.
+      obscurity: [
+       "#{fetch(:app_path)}/core/install.php",
+       "#{fetch(:app_path)}/install.php",
+       "#{fetch(:app_path)}/update.php",
+       "#{fetch(:app_path)}/core/COPYRIGHT.txt",
+       "#{fetch(:app_path)}/core/CHANGELOG.txt",
+       "#{fetch(:app_path)}/core/INSTALL.mysql.txt",
+       "#{fetch(:app_path)}/core/INSTALL.pgsql.txt",
+       "#{fetch(:app_path)}/core/INSTALL.sqlite.txt",
+       "#{fetch(:app_path)}/core/MAINTAINERS.txt",
+       "#{fetch(:app_path)}/core/LICENSE.txt",
+       "#{fetch(:app_path)}/core/INSTALL.txt",
+       "#{fetch(:app_path)}/core/UPDATE.txt",
+       "#{fetch(:app_path)}/core/USAGE.txt",
+       "#{fetch(:app_path)}/CHANGELOG.txt",
+       "#{fetch(:app_path)}/INSTALL.txt",
+       "#{fetch(:app_path)}/example.gitignore",
+     ]
+    }
   end
 end
 
@@ -256,6 +277,40 @@ namespace :drupal do
     end
   end
 
+  namespace :security do
+
+    desc 'Security by Obscurity'
+    namespace :obscurity do
+
+      desc 'Obfuscate Drupal sensitive files by deletion'
+      task :files do
+        on roles(:app) do
+          within release_path do
+            fetch(:security)[:obscurity].each do |file|
+              execute :rm, file, '-f'
+            end
+          end
+        end
+      end
+
+      desc 'Obfuscate Drupal sensitive files by htaccess'
+      task :htaccess do
+        on roles(:app) do
+          htaccessFile = release_path.join(fetch(:app_path)).join('.htaccess')
+
+          [
+            '## added during deploy',
+            '## Obfuscate Drupal sensitive files by denying access',
+            '<FilesMatch "(^API|CHANGELOG|COPYRIGHT|INSTALL|LICENSE|PATCHES|MAINTAINERS|README|TODO|UPGRADE|UPDATE|CHANGES|install|update|authorize).*\.(md|txt|php)$">',
+            '  Order deny,allow',
+            '  Deny from all',
+            '</FilesMatch>'
+          ].each { |line| execute "echo '#{line}' >> #{htaccessFile}" }
+        end
+      end
+    end
+  end
+
   namespace :files do
     desc "Download drupal sites files (from remote to local)"
     task :download do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: capdrupal
 version: !ruby/object:Gem::Version
-  version: 3.0.3
+  version: 3.0.4
 platform: ruby
 authors:
 - Kevin Wenger
@@ -11,10 +11,10 @@ authors:
 - Simon Perdrisat
 - Robert Wohleb
 - Kim Pepper
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-14 00:00:00.000000000 Z
+date: 2023-04-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: capistrano
@@ -95,7 +95,7 @@ homepage: http://github.com/antistatique/capdrupal/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -110,8 +110,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: A set of tasks for deploying and managing Drupal projects with Capistrano
 test_files: []