[5.4] Automated Core Update Client

[SniperSister]

Summary of Changes

This PR implements automated core updates for Joomla. It's the "client" implementation, the server implementation can be found here: https://github.com/joomla-projects/Automated-Updates-Server

In general, the implemented concept utilizes existing logic and functionality ans has been built as a thin "remote control" layer around the current code:

• Update retrieval is handled by TUF, guaranteeing reliable, trustworthy update information. The information about a new version is therefore not "pushed" by the autoupdate server (causing potential loopholes if the server is compromised) but fetched by the site itself
• Update download and checksum handling is performed by the existing model, that com_joomlaupdate uses
• Update extraction is performed using the standalone extraction script of com_joomlaupdate - as this script normally resides in the administrator folder and that folder is often protected by additional measures (IP blocks, basic auth checks), a statement in the main index.php has been ended to require that script directly, allowing direct access
• Postinstall scripts are again performed by the existing com_joomlaupdate models

The communication between the update server (which handles periodic health checks and triggers the updates) and the site happens via a bunch of newly added webservice endpoints. For access control, an auth token, that is generated in the site and is sent to the server on registration, is used.

Besides these endpoints, the PR adds multiple "supporting" extensions and tweaks:

• a postinstall message, highlighting the new feature on existing installations, pushing site owners to enable it
• a guided tour, highlighting the new feature too
• a quick icon, displaying the current feature and connection status
• new mail templates to notify admins about successful or failed updates

This PR is joint effort together with @rdeutz @bembelimen @HLeithner - thank you guys! Thank you @brianteeman for the language support :) and thank you @richard67 for taking care of the adjustments to 5.4

Testing Instructions

Current plan is to merge this feature for inclusing into 5.4 alpha1. Once that is done, a 5.4 alpha2 will be built to test the updating logic under as many setups as possoble.

Link to documentations

Please select:

• Documentation link for docs.joomla.org: Todo

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[richard67]

@SniperSister Testing instructions should be adjusted to 5.4.0-alpha1. Maybe we can find a way to test it before that, e.g. when this PR is merged and we have 5.4-dev nightlies which include this PR? When someone is on such a nightly and we could offer some kind of pre-release in Tuf, maybe 5.4.0-alpha1-0 or so, so PHP version_compare says it is higher than "5.4.0-alpha1-dev" but lower than "5.4.0-alpha1", could that work? The targetplatform of such pre-release should of course be limited to 5.4.0, and the stability should be "Development".

That could even work without this PR being merged yet, without nightlies, when someone is on the patched package of this PR or has applied this PR on a current 5.4-dev branch.

[muhme]

@SniperSister and everyone else, thank you in advance for including this feature in version 5.4 ❤️.
And we require a detailed test plan to confirm that automated core updates are functioning correctly on all existing sites under all circumstances

[brianteeman]

new mail templates to notify admins about successful or failed updates

Did these get missed from the pr

[HLeithner]

I think @SniperSister branch has not been sync with the development repository yet.

[obuisard]

I would suggest we take the Guided Tour out of this PR, because it may not be the only information we want to add to the 'What's new tour' for 5.4. I have personally kept the code/language keys/image that were created in this PR so that we can create a separate one with the tour and what may be added to it or modified.
I really appreciate the work that was done here.

[brianteeman]

@obuisard you can always update the tour at a later date

[richard67]

@obuisard I would leave it as it is in this PR if this PR will not take too long to be ready for review and testing.

If we later see that this PR is still not ready and we want to add something to the welcome tour for 5.4.0, we still can remove it from this PR.