From ce9279ab477371483627321017fb3b9c20df1cc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristhian=20Mart=C3=ADnez=20Ochoa?= <cristhian@qrokes.com>
Date: Fri, 2 Jun 2023 12:39:56 -0700
Subject: [PATCH] verify

Verify process improved and updated.
---
 lib/general |  13 +++-
 lib/verify  | 177 ++++++++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 168 insertions(+), 22 deletions(-)

diff --git a/lib/general b/lib/general
index 4e118d9..2c26afc 100644
--- a/lib/general
+++ b/lib/general
@@ -353,6 +353,9 @@ check_mysql_connection() {
 	# External DB if login group exist: $(check_mysql_connection $extdb_url $extdb_port $wp_dbuser -login-file $wp_dbname)
 	# Master-admin not needed here for specific dbs.
 	
+	# Note: You can always use the dynvar 'quiet' set to 'true' to not display messages.
+	# In this especific case ONLY, there is a third value: false, true and truebutnotmaster (connection successfull but not enough privileges for master-admin)
+	
 	local query="quit"
 	local error_display="true"
 	
@@ -395,7 +398,11 @@ password = $4
 			if [[ $5 == "-master-admin" ]]; then
 				local priv=$(sudo mysql --defaults-group-suffix=_${suffix_group_name} --connect-timeout=10 -h "$1" -P "$2" -e "SHOW GRANTS FOR CURRENT_USER();")
 				if ! [[ -n $(echo $priv | grep -Fo "WITH GRANT OPTION") && ( -n $(echo $priv | grep -Fo "GRANT ALL PRIVILEGES") || ( -n $(echo $priv | grep -Fo "CREATE USER") && -n $(echo $priv | grep -Fo "ALTER"))) ]]; then
-					echo "${red}${dim}[WARNING] Seems like '$(echo $priv | grep -oP -m 1 'Grants for \K\w+')' is not a Master user!${end}" >&2
+					if [[ $(conf_read quiet) != "true" ]]; then
+						echo "${red}${dim}[WARNING] Seems like '$(echo $priv | grep -oP -m 1 'Grants for \K\w+')' is not a Master user!${end}" >&2
+					else
+						local master_priv="false"
+					fi
 				fi
 			fi
 		fi 
@@ -425,7 +432,7 @@ password = $4
 		local out="false"
 	fi
 	
-	if [[ $out == "false" && $error_display != "false" ]]; then
+	if [[ $out == "false" && $error_display != "false" && $(conf_read quiet) != "true" ]]; then
 		echo "${red}===================================================" >&2
 		echo "    [Error]  Database conection failed! (${1})" >&2
 		echo "===================================================${end}" >&2
@@ -434,7 +441,7 @@ password = $4
 	elif [[ $out == "false" ]]; then
 		echo "false"
 	else
-		echo "true"
+		[[ $(conf_read quiet) != "true" ]] && echo "true" || echo "truebutnotmaster"
 	fi
 }
 
diff --git a/lib/verify b/lib/verify
index 31b3c2f..c9e565f 100644
--- a/lib/verify
+++ b/lib/verify
@@ -177,6 +177,10 @@ if [[ ! -f /opt/webinoly/templates/general/admin_tools.conf ]]; then
 	echo "- [ERROR] File: /opt/webinoly/templates/general/admin_tools.conf not found!"
 	local ver_one_err="1"
 fi
+if [[ ! -f /opt/webinoly/templates/general/certbot-deploy-hook ]]; then
+	echo "- [ERROR] File: /opt/webinoly/templates/general/certbot-deploy-hook not found!"
+	local ver_one_err="1"
+fi
 if [[ ! -f /opt/webinoly/templates/general/conf ]]; then
 	echo "- [ERROR] File: /opt/webinoly/templates/general/conf not found!"
 	local ver_one_err="1"
@@ -254,6 +258,41 @@ if [[ -z $critical_mode ]]; then
 		done
 	fi
 
+	# Temp dynvar in conf file
+	if [[ -n $(conf_read force-flag) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (force-flag) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read delautopma) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (delautopma) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read temp-path) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (temp-path) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read nginx-reload) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (nginx-reload) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read quiet) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (quiet) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read multi-bkp-db) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (multi-bkp-db) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read multi-bkp-dbh) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (multi-bkp-dbh) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+	if [[ -n $(conf_read stack-update) ]]; then
+		echo "${dim}- [WARNING] Temporal variable (stack-update) has been found in the Webinoly Configuration File! ${end}${red}"
+		local ver_one_war="1"
+	fi
+
+
 	if [[ $ver_one_err == "1" ]]; then
 		echo "(1) Webinoly Integrity Test has failed!"
 	elif [[ $ver_one_war == "1" ]]; then
@@ -274,6 +313,12 @@ local ver_two_err="0"
 local ver_two_war="0"
 
 if [[ $(conf_read nginx) == "true" ]]; then
+	# Check if NGINX command is installed
+	if ! which nginx >/dev/null ; then
+		echo "- [ERROR] Seems like NGIN command is not installed!"
+		local ver_two_err="1"
+	fi
+	
 	if [[ ! -f /etc/nginx/nginx.conf ]]; then
 		echo "- [ERROR] File: /etc/nginx/nginx.conf not found!"
 		local ver_two_err="1"
@@ -380,6 +425,15 @@ if [[ $(conf_read nginx-optim) == "true" ]]; then
 		echo "- [ERROR] File: /opt/webinoly/templates/source/nginx.conf not found!"
 		local ver_two_err="1"
 	fi
+	
+	if [[ -f /etc/nginx/common/wpfc.conf && ( -n $(grep -F "<wpcache-exclude-url>" /etc/nginx/common/wpfc.conf) || -n $(grep -F "<wpcache-exclude-cookie>" /etc/nginx/common/wpfc.conf) ) ]]; then
+		echo "- [ERROR] File: /etc/nginx/common/wpfc.conf is corrupted!"
+		local ver_two_err="1"
+	fi
+	if [[ -f /etc/nginx/common/locations.conf && ( -n $(grep -F "<locations-deny-extensions>" /etc/nginx/common/locations.conf) || -n $(grep -F "<locations-deny-files>" /etc/nginx/common/locations.conf) ) ]]; then
+		echo "- [ERROR] File: /etc/nginx/common/locations.conf is corrupted!"
+		local ver_two_err="1"
+	fi
 fi
 
 # NGINX tools site
@@ -449,11 +503,30 @@ if [[ -z $critical_mode ]]; then
 	if [[ $(conf_read nginx-optim) == "true" && ! ( -s /etc/nginx/.htpasswd || ( -n $(conf_read tools-site) && -s /etc/nginx/apps.d/.htpasswd-$(conf_read tools-site) )) ]]; then
 		echo "${blu}${dim}- [INFO] HTTP Authentication Credentials not found to access the server tools on port $(conf_read tools-port).${end}${red}"
 	fi
+	
+	# HTTP Headers
+	if [[ $(conf_read nginx-optim) == "true" && -z $(conf_read header-csp) ]]; then
+		echo "${blu}${dim}- [INFO] Setting a Content-Security-Policy Header is highly recommended!${end}${red}"
+	fi
+	if [[ $(conf_read nginx-optim) == "true" && $(conf_read header-xssp) == "true" ]]; then
+		echo "${blu}${dim}- [INFO] X-XSS Header is no longer recommended, use a strong CSP instead!${end}${red}"
+	fi
 
-	# Webinoly Stack version
-	if [[ $(conf_read nginx) == "true" && $(conf_read server-version) != $svr_version ]]; then
-		echo "${dim}- [WARNING] Webinoly Stack version check is corrupted! (Installed: $svr_version != Conf: $(conf_read server-version)) ${end}${red}"
-		local ver_two_war="1"
+	if [[ $(conf_read nginx) == "true" ]]; then
+		# Webinoly Stack version
+		if [[ $(conf_read server-version) != $svr_version ]]; then
+			echo "${dim}- [WARNING] Webinoly Stack version check is corrupted! (Installed: $svr_version != Conf: $(conf_read server-version)) ${end}${red}"
+			local ver_two_war="1"
+		fi
+		
+		# Check Nginx Branch in Configuration File
+		if [[ $(($(sudo nginx -v 2>&1 | cut -d'.' -f 2 -s)%2)) == 1 && $(conf_read nginx-ppa) != "mainline" ]]; then
+			echo "- [ERROR] Nginx Branch in Configuration File is corrupted!"
+			local ver_two_err="1"
+		elif [[ $(($(sudo nginx -v 2>&1 | cut -d'.' -f 2 -s)%2)) == 0 && $(conf_read nginx-ppa) != "stable" && -n $(conf_read nginx-ppa) ]]; then
+			echo "- [ERROR] Nginx Branch in Configuration File is corrupted!"
+			local ver_two_err="1"
+		fi
 	fi
 
 	if [[ $ver_two_err == "1" ]]; then
@@ -476,6 +549,12 @@ local ver_three_err="0"
 local ver_three_war="0"
 
 if [[ $(conf_read php) == "true" ]]; then
+	# Check if PHP command is installed
+	if ! which php >/dev/null ; then
+		echo "- [ERROR] Seems like PHP command is not installed!"
+		local ver_three_err="1"
+	fi
+	
 	if [[ ! -f /etc/php/$(conf_read php-ver)/fpm/php.ini ]]; then
 		echo "- [ERROR] File: /etc/php/$(conf_read php-ver)/fpm/php.ini not found!"
 		local ver_three_err="1"
@@ -607,18 +686,41 @@ local ver_four_war="0"
 
 # MySQL/MariaDB
 if [[ $(conf_read mysql) == "true" ]]; then
+	# Check if MYSQL command is installed
+	if ! which mysql >/dev/null ; then
+		echo "- [ERROR] Seems like MYSQL command is not installed!"
+		local ver_four_err="1"
+	fi
+	if [[ ! -d /etc/mysql ]]; then
+		echo "- [ERROR] Folder: /etc/mysql not found!"
+		local ver_four_err="1"
+	fi
+	
 	if [[ $(conf_read db-engine) == "mysql" ]]; then
 		local ver_mysql_ver=$(sudo mysql --version | grep -Eo "Ver [0-9\.]+" | cut -f 2 -d' ' | cut -f 1-2 -d'.')
+		if [[ -n $(sudo mysql --version | grep -Fio "MariaDb") ]]; then
+			echo "- [ERROR] MySQL DB Engine in Configuration File is corrupted!"
+			local ver_four_err="1"
+		fi
 	else
 		# To check supported versions: https://mariadb.com/kb/en/mariadb-server/
 		local ver_mysql_ver=$(sudo mysql --version  | sed 's/.*Distrib \([^\-]*\).*/\1/' | cut -f 1-2 -d'.')
+		if [[ -z $(sudo mysql --version | grep -Fio "MariaDb") || ( -n $(conf_read db-engine) && $(conf_read db-engine) != "mariadb" ) ]]; then
+			echo "- [ERROR] MySQL DB Engine in Configuration File is corrupted!"
+			local ver_four_err="1"
+		fi
 	fi
-
-	if [[ ! -d /etc/mysql ]]; then
-		echo "- [ERROR] Folder: /etc/mysql not found!"
+	
+	if [[ ! -f $MYSQL_CONF_PATH/${MYSQL_CONF_PREF}-webinoly-login.cnf ]]; then
+		echo "- [ERROR] File: $MYSQL_CONF_PATH/${MYSQL_CONF_PREF}-webinoly-login.cnf not found!"
+		local ver_four_err="1"
+	fi
+	if [[ ! -f $MYSQL_CONF_PATH/${MYSQL_CONF_PREF}-webinoly.cnf ]]; then
+		echo "- [ERROR] File: $MYSQL_CONF_PATH/${MYSQL_CONF_PREF}-webinoly.cnf not found!"
 		local ver_four_err="1"
 	fi
 	
+	# PPA & Keys
 	if [[ $(conf_read db-engine) == "mysql" ]]; then
 		if [[ ! -f /usr/share/keyrings/mysql-archive-keyring.gpg || ! -s /usr/share/keyrings/mysql-archive-keyring.gpg ]]; then
 			echo "- [ERROR] MySQL Apt Key not found!"
@@ -707,8 +809,8 @@ if [[ -z $critical_mode ]]; then
 		local ver_four_war="1"
 	fi
 	
-	# DB Role - Check Privileges!
 	if [[ $(conf_read mysql-client) == "true" ]]; then
+		# DB Role - Check Privileges!
 		local dbrolecheck=$(conf_read dbrole)
 		local dbrolecheck=${dbrolecheck,,}
 		if [[ $dbrolecheck == "all" ]]; then
@@ -718,6 +820,20 @@ if [[ -z $critical_mode ]]; then
 		elif [[ $dbrolecheck == "basic" ]]; then
 			echo "${blu}${dim}- [INFO] DB Default Privileges are set to BASIC, some sites may not work properly with basic privileges! ${end}${red}"
 		fi
+		
+		# Saved DB Credentials
+		conf_write quiet true
+		if [[ -n $(conf_read external-dbh) && -n $(conf_read external-dbu) && -n $(conf_read external-dbp) && -n $(conf_read external-dbx) ]]; then
+			local svdb=$(check_mysql_connection $(conf_read external-dbh) $(conf_read external-dbx) $(conf_read external-dbu) $(conf_read external-dbp) -master-admin)
+			if [[ $svdb == "false" ]]; then
+				echo "- [ERROR] External DB Connection failed! (Saved credentials for: $(conf_read external-dbh):$(conf_read external-dbx))"
+				local ver_four_err="1"
+			elif [[ $svdb == "truebutnotmaster" ]]; then
+				echo "${dim}- [WARNING] External DB Connection seems like not have Master user privileges! (Saved credentials for: $(conf_read external-dbh):$(conf_read external-dbx)) ${end}${red}"
+				local ver_four_war="1"
+			fi
+		fi
+		conf_delete quiet		
 	fi
 
 
@@ -819,6 +935,13 @@ if [[ $ver_disk =~ ^[0-9]+$ && $ver_disk -gt 75 ]]; then
 	local ver_six_war="1"
 fi
 
+# Check if WGET is installed
+if ! which wget >/dev/null ; then
+	echo "- [ERROR] Seems like WGET package is not installed!"
+	local ver_six_err="1"
+fi
+
+
 if [[ -z $critical_mode ]]; then
 	# Check for BASH Shell
 	# This is a very "shity" method, but checking if file exists is very reliable
@@ -875,6 +998,11 @@ local ver_seven_war="0"
 
 # Web Tools
 if [[ $(conf_read php-tool-redis) == "true" ]]; then
+	# Check if REDIS command is installed
+	if ! which redis-cli >/dev/null ; then
+		echo "- [ERROR] Seems like Redis command is not installed!"
+		local ver_seven_err="1"
+	fi
 	if [[ ! -d /etc/redis ]]; then
 		echo "- [ERROR] Folder: /etc/redis not found!"
 		local ver_seven_err="1"
@@ -899,9 +1027,12 @@ if [[ $(conf_read mysql-tool-pma) == "true" && ! -d /var/www/$ADMIN_TOOLS_SITE/h
 	echo "- [ERROR] Folder: /var/www/$ADMIN_TOOLS_SITE/htdocs/pma not found!"
 	local ver_seven_err="1"
 fi
-if [[ $(conf_read php-tool-memcached) == "true" && ! -f /usr/bin/memcached ]]; then
-	echo "- [ERROR] File: /usr/bin/memcached not found!"
-	local ver_seven_err="1"
+if [[ $(conf_read php-tool-memcached) == "true" ]]; then
+	# Check if MEMCACHED command is installed
+	if ! which memcached >/dev/null ; then
+		echo "- [ERROR] Seems like Memcached command is not installed!"
+		local ver_seven_err="1"
+	fi
 fi
 if [[ $(conf_read php-tool-postfix) == "true" && ! -d /etc/postfix ]]; then
 	echo "- [ERROR] Folder: /etc/postfix not found!"
@@ -912,19 +1043,21 @@ if [[ $(conf_read php-tool-postfix) == "true" && ! -f /opt/webinoly/templates/so
 	local ver_seven_err="1"
 fi
 if [[ $(conf_read nginx-tool-ssl) == "true" ]]; then
-	if [[ ! -L /snap/bin/certbot ]]; then
-		echo "- [ERROR] File: /snap/bin/certbot not found!"
+	# Check if CERTBOT command is installed
+	if ! which certbot >/dev/null ; then
+		echo "- [ERROR] Seems like Certbot command is not installed!"
 		local ver_seven_err="1"
 	fi
 fi
 if [[ $(conf_read nginx-tool-bkp) == "true" ]]; then
-	if [[ ! -f /usr/bin/duply ]]; then
-		echo "- [ERROR] File: /usr/bin/duply not found!"
+	# Check if DUPLY command is installed
+	if ! which duply >/dev/null ; then
+		echo "- [ERROR] Seems like Duply command is not installed!"
 		local ver_seven_err="1"
 	fi
-	# Remove the snap path!
-	if [[ ! -L /snap/bin/duplicity && ! -f /usr/local/bin/duplicity ]]; then
-		echo "- [ERROR] File: /usr/local/bin/duplicity not found!"
+	# Check if DUPLICITY command is installed
+	if ! which duplicity >/dev/null ; then
+		echo "- [ERROR] Seems like Duplicity command is not installed!"
 		local ver_seven_err="1"
 	fi
 fi
@@ -958,7 +1091,7 @@ if [[ -z $critical_mode ]]; then
 	if [[ $ver_seven_err == "1" ]]; then
 		echo "(7) Additional Tools Verification Test has failed!"
 	elif [[ $ver_seven_war == "1" ]]; then
-		echo "${dim}(4) Additional Tools Verification Test has some warning messages you should attend!${end}${red}"
+		echo "${dim}(7) Additional Tools Verification Test has some warning messages you should attend!${end}${red}"
 	else
 		echo "${gre}${dim}(7) Additional Tools Verification Test successful!${end}${red}"
 	fi
@@ -1068,6 +1201,7 @@ if [[ -z $critical_mode ]]; then
 	do
 		local ver_domi=$(echo $ver_site | cut -f 5 -d "/")
 		if [[ $ver_domi != "html" && $ver_domi != $ADMIN_TOOLS_SITE ]]; then
+			# If WordPress, then check connection!
 			if [[ $(is_wp $ver_domi) == "true" ]]; then
 				if [[ ! -s /etc/nginx/.htpasswd && ! -s /etc/nginx/apps.d/.htpasswd-$ver_domi && $(is_wp_auth $ver_domi) == "true" ]]; then
 					echo "${blu}${dim}- [INFO] HTTP Authentication Credentials not found for $ver_domi${end}${red}"
@@ -1085,6 +1219,11 @@ if [[ -z $critical_mode ]]; then
 					echo "${red}${dim}- [WARNING] Database connection failed for your WP site $ver_domi (${wp_dbhost}) ${end}${red}"
 					local ver_nine_war="1"
 				fi
+			
+			# If not WP but WP files are found then alert! (people manually installing WP)
+			elif [[ -f /var/www/$ver_domi/wp-config.php || -f /var/www/$ver_domi/htdocs/wp-config.php ]]; then
+				echo "${red}${dim}- [WARNING] Seems like $ver_domi is a WordPress site but configured for a different type! ${end}${red}"
+				local ver_nine_war="1"
 			fi
 		fi
 	done